VIRTUALIZATION: TOOLS  AND  STRATEGIES  FOR  A  NEW  IT.  ENVIRONMENT 


THE  EMPOWERED  CIO 

T&yota  CIO  Barbra  Cooper  on 
how  to  craft  a  strategic  plaVi 

^  P^ge  54 

■  .V'  _ 

WORKING  WITH  VCs 

What  you  can  do  for  them; 
j  what  they  can  do  for  you 

\  •  a  Page  30 


TECHNOLOGY  LEAD 


»  Your  Crime-Fighting  and 
Risk  Management  Plan 

4 

» Interview  With  a  Mob  CIO* 

if  J  / 

\  •  / 

» IT  Lessons  from  the  Web’s 
Red  Light  District 

It  all  begins  on  Page  34 


1  Th1!*] 

■mi 


EXPAND 

operations 

HERE. 


REDUCE  SUPPLY 
CHAINS  HERE. 


FROM  MORE  EFFICIENT  OPERATIONS  TO  HIGHER  ROI, 

YOU  CAN  LEARN  A  LOT  FROM  LOCATION. 

Location  intelligence  can  tell  you  precisely  how  and  where  to  grow.  How  to  add  more  wow  to 
customer  service.  Even  how  to  make  your  operations  more  efficient,  and  your  offerings  more 
differentiated.  To  start  listening,  talk  to  the  location  intelligence  professionals  at  Pitney  Bowes 
Maplnfo.  Through  comprehensive  software,  expansive  data  sets,  expert  consulting  and  support, 
we  help  your  entire  organization  leverage  the  unique  power  of  location-centric  information  for 
better,  more  informed  decisions.  See  what  location  intelligence  tells  you. 


See  how  location  intelligence  drives  key  business  decisions. 

Download  Location  Intelligence:  The  New  Geography  of  Business  at  mapinfo.com/location3 


FIND  HEW 
KARKET-S 

HERE. 


mam 


©2007  PB  Maplnfo  Corporation.  All  rights  reserved.  Maplnfo  and  the 
Maplnfo  logo  are  registered  trademarks  of  PB  Maplnfo  Corporation. 


mm®. 


China  offers  dynamic  and  unprecedented  opportunity,  but 
not  without  risk.  With  25  years  of  experience  in  this  emerging 
market,  Marsh  has  the  know-how  to  help  you  remove  uncertainty 
by  fortifying  supply  chains,  protecting  intellectual  property,  and 
retaining  key  talent.  So  much  so  that  we  were  recently  awarded 
China's  first  and  only  Wholly  Owned  Foreign  Enterprise  insurance 
broking  license.  The  upside?  Confidence  that  your  investment 
in  China  is  secure.  To  learn  more,  visit  findtheupside.com 


MARSH 


MARSH  MERCER  KROU 
GUY  CARPENTER  CXtVER  WYMAN 


Cubik  Media  CTO  Greg 
Lindberg  uses  digital  finger¬ 
printing  and  geocoding  to 
give  his  site  a  leg  up  on  the  ^ 
competition.  £3 


Columns 


30  Nothing  Ventured, 
Nothing  Gained 

career  How  working  with  VCs  can  help 
your  career  take  off.  By  Martha  Heller 

54  IT's  Corporate  Vision 
business  strategy  The  CIO  of  Toyota 
Motor  Sales  USA  combined  focus  groups, 
critical  analysis  and  information  integration 
to  bridge  Toyota  silos,  craft  a  long-term  vision 
and  cultivate  a  strategic  orientation. 

By  Barbra  Cooper 

60  Five  Things  I've  Learned 

the  voice  of  experience  Futurist  and 
technology  pundit  Esther  Dyson  talks  to  CIO 
about  blog  hype,  ICANN  and  what  you  can 
learn  from  startups. 


more  » 


SPECIAL  REPORT  Cybercrime 

34  Your  Plan  to  Fight  Cybercrime 

risk  management  Online  crime  is  organized,  its  perpetrators  attack 
deliberately,  and  the  likelihood  that  they  will  attack  your  company— and 
even  shut  it  down— is  growing.  Here’s  how  to  mitigate  that  risk. 

By  Christopher  Koch 

43  Interview  With  a  Mob  CIO 

i.t.  scams  The  facts,  the  scams,  are  real.  The  CIO?  Not  so  much. 

But  here’s  how  organized  crime  uses  technology  to  make  money. 

By  Scott  Berinato 

48  Lessons  from  the  Red  Light  Web 

emerging  technologies  Rarely  acknowledged  by  the  mainstream, 
adult  and  gaming  sites  collect  a  healthy  percentage  of  Web  traffic  and 
account  for  a  good  deal  of  innovation  too.  By  Ben  Worthen 


COVER  PHOTO-ILLUSTRATION  BY  STEPHEN  WEBSTER 


www.cio.com  |  JUNE  15,  2007  3 


Technology  Consulting  from  Accenture. 

Our  work  with  businesses  and  governments 
around  the  world  reveals  a  clear  pattern:  high 
performers  set  themselves  apart  by  positioning 
information  technology  as  a  strategic  asset 
and  a  partner  to  the  enterprise.  Findings  from 
our  comprehensive  ongoing  research  confirm 
that  pattern. 

Accenture  Technology  Consulting  helps  bridge 
the  gap  between  an  organization's  existing  IT 
capabilities  and  its  vision  for  high  performance. 
We  draw  upon  extensive  resources  and  experience 
to  enable  our  clients  to  achieve  their  goals: 

•  Aligning  IT  strategy  with  business  value 

•  Building  an  enterprise  architecture  "blueprint" 

•  Improving  service  levels  between  IT  and 
the  business 

•  Standardization,  consolidation  and 
virtualization  of  IT  infrastructure 

•  Consolidation  and  transformation  of  networks 

•  Maximizing  workplace  technologies  and 
collaboration  tools 

•  Improving  security  across  IT  infrastructure 
and  applications 

•  Renewing  legacy  applications  to  achieve 
greater  flexibility  and  performance 

•  Improving  IT  processes 

•  Engineering  performance  into  system  and 
application  development  life  cycles 

To  learn  more  about  Accenture  Technology 
Consulting,  visit  accenture.com/technology 


In  IT,  the  wrong  metrics  could  be 


worse  than  no  metrics  at  all. 


Not  sure  how  your  IT  investments  measure  up?  You're  not 
alone.  Despite  studies  that  show  a  critical  connection 
between  the  right  success  metrics  and  higher-performing 
businesses,  most  CIOs  still  wrestle  with  measurement 
processes  that  are  unreliable  at  best,  and  misleading  at 
worst.  To  see  how  Accenture  Technology  Consulting  can 
help  you  measure  and  enhance  the  value  of  IT,  visit 
aeeenture.com/teehnology 

•  Consulting  •  Technology  •  Outsourcing 


accenture 


High  performance.  Delivered. 


■ 

■  'fbr&u 

•  'Jap 

- 

:  -V 

*  .*  .  -ir  ■■■■■  i 


; 


(Cont.) 


In  Every  Issue 


8  From  the  Editor 

Why  CIOs  should  encourage  rebellion  in 
the  ranks.  By  Abbie  Lundberg 


[  RATE  YOUR  SECURITY  PROGRAM  1 

How  Secure  Are  You? 


10  From  the  CEO 

What  you  don’t  do  can  be  as  important 
as  what  you  do  do. 

By  Michael  Friedenberg 

15  Trendlines 

►  Mellon  fights  ID  fraud 

Microsoft  threats  don’t  faze  Linux  users 

►  The  Ferrari  of  videoconferencing 

►  Basics  for  better  employee  ethics 

►  Mid- market:  Training  your  tech  vendors 

►  How  to  sell  your  staff  on  dashboards 

►  Beating  the  BI  blues 

23  Essential  Technology 

Virtualized  servers  create  power  and 
hardware  savings— and  headaches,  if 
you’re  not  careful.  Management  tools  can 
help  automate  oversight. 

By  Katherine  Walsh 

58  Index 


ggpKf 

:  .  . 

;x,/  ' 

-V' 

"It's  somewhat  ironic  that  the 
benefit  of  virtualization  is 


The  key  to  managing  a  successful  security  program 
is  identifying  important  risks  and  vulnerabilities 
so  you  can  mitigatethem.GotoCIO.com  to 
com  take  an  interactive  self-assessment  quiz 
developed  by  Roger  Johnston,  leader  of  the 
Vu  I  nerabi  I  ity  Assessment  Team  at  Los  Alamos 
National  Laboratory.  Aftertakingthe three-part 
quiz,  you  can  see  how  you  stack  up  against  your 

peers.  ))  quizzes.cio.com/security_assessment 


[ LEADERSHIP  ] 

HOW  CIOS  CAN  BE 
“GREAT” 

Good  to  Great  author  J  i  m  Col  i  i  ns  sees  CIOs 
as  quiet  leaders  who  face  many  of  the  same 
challenges  that  CEOsdo.  Read  Senior  Editor 
Stephanie  Overby’s  interview  with  Collins 
to  learn  about  his  latest  leadership  research 
and  advice  forCIOs. 
www.cio. com/article/112000 

t  TUTORIAL  ] 

ABCS  OF  I.T.  GOVERNANCE 

Check  out  thistutorial  on  the  business 
case  for  sol  id  IT  governance.  Share  it  with 
your  staff  and  col  leagues  so  they  see  how 
every  company  can  use  good  governance 
to  stay  on  track  for  ach  ievi  ng  busi  ness 
goals,  regulatory  compliance  and  spending 
accountability. 

www.cio. com/article/111700 


ADVICE  &  OPINION 


KEYS  TO  AGILE  IT. 

Michael  Hugos,  a  consultant 
andformer  CIO,  explains 
howto  make  IT  organizations 
agile.  Find  Doing  Business 
in  Real  Time  in  the  blogs 
drop-down  menu  at 
advice.cio.com 


resource  optimization,  but  it 
encourages  messy  behavior." 

-  CAMERON  HAIGHT,  RESEARCH 
VP,  GARTNER,  Page 23 


Right  now  @ 

ao.com 


Movers  and  Shakers  Gregor  Bailar  retires  from  Capital  One 
>  PeertoPeer  How  a  CIO  sold  her  CEO’s  vision 
Feature  Open-source  experts  argue  for  and  against  using  MySQL 
Information  Collective  Why  your  BlackBerry  causes  speakers  to  buzz 


6  JUNE  15,  2007  |  www.cio.com 


The  HP  BladeSystem  c-Class,  featuring  efficient 
Dual-Core  AMD  Opteron™  processors,  helps 
free  I.T.  from  the  cycle  of  server  management. 
It's  equipped  with  HP's  exclusive  Thermal 
Logic  Technology,  which  can  save  companies 
over  40%1  on  power  costs  by  managing  the 
balance  of  power  and  cooling  without  sacrificing  performance. 
And  HP  Thermal  Assessment  Services  can  customize  a  plan 
to  help  you  determine  optimal  cooling  and  thermal  levels  and 
reduce  energy  costs— so  your  budget  is  spent  on  things  that 
really  drive  your  business. 


Download  an  IDC  White  Paper  on  Power  and  Cooling  Services 

Call  1-866-625-3901 

Visit  www.hp.com/go/breakthecycle31 


1  Based  on  internal  HP  testing  of  power  and  cooling  costs;  compared  to  similarly  configured  HP1 U,  2P  server.  AMD,  the  AMD  Arrow  logo,  AMD  Opteron,  and  combinations  thereof  are  trademarks  of  Advanced  Micro  Devices,  Inc.  The  information  contained  herein 
is  subject  to  change  without  notice.  ©  2007  Hewlett-Packard  Development  Company,  L.P. 


FROM  THE  EDITOR 


BUSINESS  TECHNOLOGY  LEADERSHIP 


Want  a  Revolution? 

Why  CIOs  should  encourage  rebellion  in  the  ranks 

How  does  a  corporate  CIO  foster  “rebellious 
insightfulness”?  And  why  would  he  want  to? 

That  was  a  big  topic  of  conversation  at  last  month’s 
annual  Finnish  CIO  conference  in  Helsinki,  where 
I  shared  the  stage  with  IDC  Chief  Researcher  John 
Gantz  (IDC  is  a  sister  company  of  CIO’ s  publisher) 
and  Nokia  CIO  John  Clarke.  The  event  was  put  on  by 
the  newly  launched  Finnish  edition  of  CIO. 

Gantz  talked  about  four  explosions— of  data, 
devices,  transactions  and  risk— and  predicted  that 
everything  on  the  IP  network  will  eventually  end  up 
in  the  CIO’s  domain,  driving  IT’s  responsibility  beyond  the  traditional  boundaries  of 
the  organization  and  deeper  into  its  employees’  briefcases,  pockets  and  homes. 

This  “hyper-disruption”  (as  Gantz  calls  it)  is  what’s  driving  the  need  for  “rebellious 
insightfulness,”  according  to  Nokia’s  Clarke,  whose  company  has  a  lot  to  do  with  that 
explosion  in  devices.  (For  an  in-depth  look  at  the  explosion  in  risk,  check  out  our 
special  report  on  cybercrime,  beginning  on  Page  34.) 

CIO  has  written  a  lot  about  the  incursion  of  consumer  technology  into  the  enter¬ 
prise.  As  Clarke  put  it,  “The  harsh  reality  is  that  the  technology  employees  use  at 
work  is  inferior  to  the  technology  they  have  at  home.”  Clarke’s  not  fighting  that  real¬ 
ity;  rather,  he’s  planning  to  harness  it.  But  understanding  what  customers  really 
want,  not  just  what  they  say  they  want,  requires  a  deeper  engagement  with  them,  he 
believes.  The  challenge  is  how  to  collaborate  with  people  who  are  not  part  of  your 
own  organization.  Clarke  thinks  the  answer  is  to  create  an  ecosystem  where  people 
can  share,  collaborate,  discuss  and  interact.  In  other  words,  the  answer  is  Web  2.0. 

To  that  end,  Clarke  is  testing  and  supporting  consumer  apps,  a  broader  range 
of  devices  and  is  developing  more  flexible  security  policies  to  create  a  platform  for 
“managed  consumerization”  in  the  pursuit  of  rebellious  insightfulness.  He’s  focusing 
on  new  collaboration  tools.  He  has  his  staff  creating  mash-ups  and  exploring  virtual 
worlds,  using  Skype  and  working  with  Amazon’s  APIs. 

His  hope  is  that  all  this  will  ultimately  lead  to  the  kinds  of  breakthroughs  Nokia 
and  many  other  companies  are  looking  for  in  this  time  of  hyper-disruption. 

Are  you  encouraging  rebellion  in  the  ranks?  We’d  love  to  hear  how  and  why,  and 
what  you  expect  to  get  out  of  it. 


Abbie  Lundberg,  Editor  in  Chief 

lundberg(2>cio.com 


PHOTO  BY  STEVEN  VOTE 


president  and  ceo  Michael  Friedenberg 
publisher  Gary  J.  Beach 

EDITORIAL 

editor  in  chief  Abbie  Lundberg 
editor  David  Rosenbaum 

EXECUTIVE  EDITOR 

Elana  Varon 

TECHNOLOGY  EDITOR 

Laurianne  McLaughlin 

SENIOR  EDITORS 

Stephanie  Gelston. 

Stephanie  Overby 

SENIOR  WRITER 

Thomas  Wailgum 

ASSISTANT  MANAGING  EDITOR 

Emily  S.  Henderson 

SENIOR  COPY  EDITOR 

Cathy  Mallen 

COPY  EDITOR 

Susan  Bryant-Still 

ASSOCIATE  STAFF  WRITERS 

Christopher  Lynch.  Katherine  Walsh 

EDITORIAL  ADMINISTRATOR 

Jill  Paquette 

CONTRIBUTORS 

Scott  Berinato,  Barbra  Cooper. 

Martha  Heller,  Christopher  Koch.  Margaret  Locher, 
Elizabeth  Montalbano.  Ben  Worthen 

DESIGN 

EXECUTIVE  DIRECTOR,  ART  AND  DESIGN 

Mary  Lester 

ART  DIRECTOR 

Terri  Haas 

ONLINE  EDITORIAL 

ONLINE  EDITORIAL  DIRECTOR 

Christopher  Lindquist 

ONLINE  MANAGING  EDITOR 

Michael  Goldberg 

SENIOR  ONLINE  EDITORS 

Sandy  Kendall,  Meridith  Levinson. 

Shawna  McAlearney,  Esther  Schindler 

ASSOCIATE  ONLINE  EDITOR 

Diann  Daniel 

ONLINE  WRITER 

Al Sacco 

ONLINE  COPY  EDITOR 

David  Gradijan 

RESEARCH 

RESEARCH  MANAGER 

Carolyn  Johnson 

SENIOR  RESEARCH  ANALYST 

Seanna  Maguire 


C  X  O  \  MEDIA  INC. 


INTERNATIONAL  DATA  GROUP 

board  chairman  Patrick  J.  McGovern 

president,  idg  communications  Bob  Carrigan 

#BPA 


©CXO  Media  Inc. 


who  covers  what  www.cio. com/staff 
e-mail  letters@cio.com  phone  508  872-0080 
fax  508  879-7784  address  CIO  Magazine,  CXO  Media 
Inc.,  492  Old  Connecticut  Path,  P.0.  Box  9208, 
Framingham,  MA  01701-9208  website  www.cio.com 
SUBSCRIBER  SERVICES  866  354-1125  • 

Fax  847  564-9453  •  E-mail  cio@omeda.com 
reprint  services  Keith  Williams  •  PARS  International 
•  212  221-9595  ext.  319  •  E-mail  keith.williams@ 
parsintl.com  rights  and  permission  Yadira  Pizarro  • 
212  221-9595  ext.  231  •  E-mail  yadira@parsintl.com 


8  JUNE  15,  2007  |  www.cio.com 


WATCH  Y  0 
WATCH  YOUR 


UR  PEACE  OF  MIND  UTOW. 
COST  OF  OWNERSHIP  Shrink. 


The  rules  of  enterprise  storage  have  been  rewritten.  A  new  era  of  Network  Attached  Storage  (NAS) 
has  been  born.  Our  line  of  Unified  Network  Storage  appliances  raises  the  bar  for  large-scale  storage 
applications  by  delivering  new  levels  of  reliability,  density,  performance,  and  efficiency.  By  consuming  a 
fraction  of  the  floor  space  and  half  the  power  of  competitive  offerings,  agami  solutions  ultimately  allow  you 
to  consume  far  fewer  dollars  on  storage.  To  learn  more  about  curbing 
the  high  cost  of  storage  while  achieving  new  levels  of  availability,  get 
a  free  copy  of  the  Taneja  Group  report  "Economical,  High  Performance 
NAS”.  Visit  www.agami. com/CIO  or  call  1-877-749-1794. 


agimi 

c  ii  e  t  o  m  o 


systems 


Copyright  ©  2007  agami  Systems,  Inc.  All  Rights  Reserved. 


BUSINESS  TECHNOLOGY  LEADERSHIP 


FROM  THE  CEO 


Define  Your  Limits 

What  you  don’t  do  can  be  as  important  as  what  you  do  do 

Over  the  past  few  weeks,  it  has  been  my  pleasure 
to  meet  with  some  of  the  brightest  executives  in  the 
business.  I  asked  them  all  this  question:  “What  is  a 
simple  practice  that  you  do  in  your  organization  that 
helps  define  your  culture  and  creates  competitive 
advantage?” 

I  heard  lots  of  great  answers.  Some  were  very 
complicated;  others  were  profound  but  difficult  to 
replicate  in  all  environments.  Some  centered  on  peo¬ 
ple  skills,  others  on  product  innovation  and  process 
optimization.  However,  there  were  two  answers  that 
I  thought  were  simple,  brilliant  and  universally  applicable.  They  both  addressed 
management  and  each  offered  incredible  value.  I  bet  we  think  about  doing  them  all 
the  time,  but  I’ll  also  bet  that  many  of  us  do  not  practice  them  at  all. 

Jim  Collins,  author  of  Good  to  Great  and  Built  to  Last ,  suggested  tweaking  our  to- 
do  lists.  We  all  have  them.  In  fact,  the  number-one  thing  on  my  current  to-do  list  is 
to  write  this  column.  But  with  all  the  projects  thrown  at  us,  it’s  just  impossible  to  do 
everything.  So  when  something  gets  added,  what  are  you  telling  your  team  and  your¬ 
self  to  stop  doing?  In  other  words,  your  don’t-do  list  is  just  as  important  as  your  to-do 
list.  You  can’t  take  care  of  your  to-dos  without  figuring  out  your  don’t-dos.  Try  it. 

The  other  idea  came  from  Hess  CIO  Peter  Walton.  How  many  of  us  walk  the  walk 
when  it  comes  to  rewarding  failure?  If  you  really  want  to  create  a  culture  of  growth 
and  innovation,  chances  need  to  be  taken,  failure  needs  to  be  budgeted  for.  And  when 
your  people  fail,  do  you  really  accept  it,  or  do  you  shrug  and  say,  somewhat  grudg¬ 
ingly  (and  perhaps  menacingly),  “Better  luck  next  time.”  Well  Hess  holds  an  annual 
ceremony  to  celebrate  the  biggest  failure  of  the  year  by  presenting  the  President’s 
Intelligent  Risk  Taking  Award.  To  win,  one  must  identify  the  risk  assumed  and  the 
steps  taken  to  mitigate  the  risk— and  one  must  have  failed.  The  winner  gets  a  trophy. 
Really,  it’s  not  the  failure  that’s  being  honored,  it’s  the  willingness  to  take  prudent 
risks  in  a  risk-based  world. 

So,  what  simple  management  practices  do  you  have  that  help  define  your  culture  and 
improve  performance?  Please  send  me  your  best  practices  at  mfriedenberg@cio.com 
and  I  will  make  sure  to  share  them  with  all  of  you  in  a  future  column. 


Michael  Friedenberg,  President  and  CEO 

mfriedenberg(a)cio.com 


PHOTO  BY  CHRISTOPHER  HARTING 


president  and  ceo  Michael  Friedenberg 
publisher  Gary  J.  Beach 

CXO  MEDIA 

CIRCULATION 

svp,  circulation  Carol  A.  Spach 

subscription  svcs.  supervisor  Tina  Pescaro 

CIO  EXECUTIVE  COUNCIL 

GENERAL  MANAGER  Mark  Hall 
MANAGING  DIRECTOR.  PROGRAM  SERVICES  Shaw  Lively 

vp,  development  Dexter  Siglin 
managing  dir.,  content  development  Richard  Pastore 
dir.,  external  relations  Karen  Fogerty 
director  of  research  Michael  Swenson 
marketing  communications  manager  Jennifer  Baker 
director  of  development  Steve  Rovniak 
senior  program  managers  Bill  Golden,  Carrie  Mathews 

PROGRAM  SERVICES  MANAGERS 

Joyce  Dunnells,  Michael  Fahlsing,  Ellen  Friedman. 

Bill  Roche.  Janet  Williams 
program  specialists  Lisa  Desmarais.  Susan  Hupp 

DEVELOPMENT  MANAGERS 

Patrick  Clarke,  Lauren  DeLong.  Steve  Dodman. 
John  Harrison,  Kathy  Mayer 

development  associate  Kristin  Bradshaw 

EXECUTIVE  PROGRAMS 

vp,  executive  programs  Ellen  Daly 
dir.,  event  marketing  Mary  Conroy 
dir.,  event  operations  Deb  Begreen 
senior  conference  producer  Judith  Kittredge 
event  planner  Sarah  Reagan 
event  coordinator  Bethany  Whiffin 
client  services  specialist  Cress  O'Brien 
client  relations  associate  Erica  Foster 
sales  associate  Nicole  Blackburn 

INFORMATION  SYSTEMS 

idg  dir.  of  information  services  Nancy  Newkirk 
it,  manager  Sean  McCracken 

SENIOR  USER  SUPPORT  SPECIALISTS 

Christopher  A.  Kay,  Thomas  Lupien 

user  services  specialist  Gloria  Lam 
associate  user  support  specialist  James  Brevard 
senior  web  developer  David  Cohen 
web  developer  Sanghee  Seo 

PRODUCTION 

VP,  MANUFACTURING  Chris  CuOCO 

production  manager  Heidi  Broadley 
associate  production  manager  Lisa  M.  Stevenson 

MARKETING 

SR.  DIRECTOR,  MARKETING  COMM.  Sue  YanOVitch 

sr.  marketing  comm,  specialist  Susan  Murray 
marketing  comm,  specialist  Lynn  Holmlund 

RESEARCH 

research  manager  Carolyn  Johnson 
senior  research  analyst  Seanna  Maguire 

ADMINISTRATION 

coo  Matt  Smith 

dir.,  finance  Margarita  Chiango 

SENIOR  FINANCIAL  ANALYST,  ONLINE  AND 

integrated  products  Chris  Bernardi 
executive  assistant  to  the  president  Diane  Martin 
facilities  specialist  John  Kelley 
office  services  coordinator  Mary  E.  Wooldridge 

HUMAN  RESOURCES 

vp,  human  resources  Patricia  Chisholm 

hr  representative  Pauline  Boyle 


INTERNATIONAL  DATA  GROUP 

board  chairman  Patrick  J.  McGovern 

president,  idg  communications  Bob  Carrigan 


#>BPA 


WOIIDWIDE- 


©  CXO  Media  Inc. 


10  JUNE  15,  2007  |  www.cio.com 


New  energy  for  greater  mobility. 

The  LifeBook®  T4200  Tablet  PC:  Energize  your  mobile  workforce 
with  Enterprise-class  reliability. 


The  Fujitsu  LifeBook®  T4200  Tablet  PC  with  Intel®  Centrino®  Duo  Mobile  Technology  reflects  the  Fujitsu  commitment  to  delivering 
the  most  reliable  products.  It’s  manufactured  in-house  so  we  can  maintain  the  highest  quality  standards.  The  Fujitsu  LifeBook 
T4200  Tablet  PC  also  features  the  industry’s  first  bi-directional  LCD  hinge  and  a  brilliant,  12.1 "  XGA  display  with  wide  viewing 
angles,  so  it’s  impressive  any  way  you  look  at  it.  And  whether  you  use  its  keyboard  or  powerful  inking  capabilities  and  pen-driven 
navigation,  you  get  the  best  of  both  worlds.  Go  to  us.fujitsu.com/computers/reliability  for  more  information. 


SUPERIOR  CONNECTIVITY  Wi-Fi,  Gigabit  Ethernet, 


BUILT-IN  MODULAR  BAY  add  a  weight-saver, 


modem  and  optional  Bluetooth  2.0 

DUAL-FUNCTIONALITY 

it's  a  notebook  and  a  Tablet  PC 


FUJITSU 

THE  POSSIBILITIES  ARE  INFINITE 


media  drive  or  2nd  battery 


Centrino 


Core  2  Duo 

inside 


©2007  Fujitsu  Computer  Systems  Corporation.  All  rights  reserved.  Fujitsu,  the  Fujitsu  logo  and  LifeBook  are  registered  trademarks  of  Fujitsu  Limited.  Centrino.  Centrino  Logo,  Intel,  Intei  Logo.  Intel  Inside 
and  Intel  Inside  Logo  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Microsoft  and  Windows  are  registered  trademarks  of 
Microsoft  Corporation.  All  other  trademarks  are  the  property  of  their  respective  owners. 


We  have  a  word  for 
so-called  "integrated" 
data  management 
solutions... 


Imposters 


CommVault's  Singular  Information  Management™ 
suite  is  what  "integrated"  software  solutions 
wish  they  could  be. 

At  CommVault®,  we're  focused  exclusively  on  developing 
data  management  solutions  for  today  and  tomorrow.  This 
Solving  Forward™  philosophy  is  the  inspiration  behind  our  modular 
data  management  solution  based  on  a  single-platform  architecture. 
All  of  our  software  is  designed  to  work  together  seamlessly,  sharing 
a  single  code  base  and  common  function  set.  For  you,  that  means  a 
level  of  efficiency,  performance,  reliability  and  control  that  so-called 
ntegrated"  solutions  only  wish  they  could  match. 

To  learn  more  about  the  difference  CommVault's  Solving  Forward 
philosophy  and  Singular  Information  Management  software  can  make  for 
you,  visit  solvingforward.com. 


commvault 


solving  forward 


DATA  PROTECTION  ►REPLICATION  ►ARCHIVE  ►  RESOURCE  MANAGEMENT 


©2007  CommVault  Systems.  Inc.  All  rights  reserved.  CommVault.  CommVault  Systems,  its  logo.  Solving  Forward  and  Singular  Information  Management  are  trademarks,  and  in  some  jurisdictions  may  be  registered  trademarks, 
of  CommVault  Systems.  Inc. 


Goldfish  have  a  memory  span  of  3  seconds 


They  can’t  even  see  the  past,  much  less  the  future. 

But  you  can.  With  proven  business  intelligence  and  analytic  software  from  SAS. 


www.sas.com/goldfish 


§sas 


THE 
POWER 
TO  KNOW, 


EDITED  BY  LAURIANNE  McLAUGHLIN  NEW  *  HOT  *  UNEXPECTED 


Mellon  Fights  ID  Fraud 


authentication  Have  you 
been  asked  to  chime  in  to  your  com¬ 
pany’s  version  of  “Who  are  you?”  If 
not,  you  probably  will  soon,  especially 
if  you’re  in  a  services  industry.  More 
CIOs  are  facing  the  need  to  revamp 
authentication  technologies,  used 
to  log  employees  or  customers  in  to 
online  systems.  Authentication  must 
maintain  a  delicate  balance:  It  needs 
to  be  strong  enough  to  keep  crooks  out 
but  understandable  enough  for  cus¬ 
tomers  to  complete  successfully.  One 
approach,  knowledge-based  authenti¬ 
cation  (KBA),  is  gaining  popularity. 

The  basic  premise  of  KBA  is  this: 
To  log  in,  users  answer  a  series  of  mul¬ 
tiple-choice  questions  that  are  based 
on  data  from  public  records  about 


them— say  relating  to  a  real  estate  pur¬ 
chase— and  are  gathered  by  a  third- 
party  KBA  provider. 

For  Mellon  Investor  Services  (a 
subsidiary  of  Mellon  Financial, 
providing  shareholder  services  and 
related  securities  products  to  small-  to 
Fortune  500-size  firms),  the  move  to 
KBA  started  with  a  longtime  problem, 
says  CTO  Marc  Librizzi.  The  firm  had 
a  large  user  population  of  individual 
shareholders,  and  no  common  data  to 
help  authenticate  them. 

A  bottom-line  business  need  drove 
Mellon  to  find  a  new  authentication 
method  that  was  workable:  Every 
time  someone  chooses  the  call  center 
instead  of  the  website,  it  costs  the 
company  more  Continued  on  Page  16 


lit!llllli!illli!t!!IIIII!l!iiI!li!ll!!lll!Sl!lii!l!lillS!illliliSlll!tl!!lilii!i!!iliiiSmiillliil!!illl!!!tliIi!iill!l!il!Silli!lill!iilll 


minus 


Linux  Users  Shrug  Off  Microsoft  Patent  Threats 


open  source  Linux  supporters  are  thumbing  their 
collective  noses  at  Microsoft’s  recent  claim  that  it  will  seek 
royalties  from  users  and  distributors  on  235  patents  it  holds 
for  technologies  in  Linux  and  open-source  software,  saying 
they’re  not  worried  about  patent  infringement  litigation. 

The  general  consensus:  Microsoft’s  threats  of  litigation- 
in  recent  statements  Microsoft  executives  made  to  Fortune 
magazine— show  that  the  software  giant  is  afraid  of  the  com¬ 
petitive  threat  that  Linux  and  open-source  software  pose. 

Joe  Lindsay,  CIO  of  mortgage  company  Secured  Funding, 
says  that  Microsoft’s  attempt  to  cause  fear,  confusion  and 
doubt  may  scare  some  users  in  the  short  term  but  will  not 
stop  open  source’s  momentum.  “It’s  like  saying  I  have  a  big 
baseball  bat,  and  I’m  going  to  hit  somebody,”  he  says. 

Linux  distributors  too  were  nonplussed,  and  Novell— 
which  struck  a  licensing  deal  that  included  paying  royalties 
on  Linux  to  Microsoft  last  year— seemed  annoyed.  Horacio 


Gutierrez,  Microsoft’s  VP  of  intellectual  property  and  licens¬ 
ing,  compared  the  Novell  deal  as  a  model  for  how  Microsoft 
wants  to  settle  patent  differences.  However,  Novell  never 
admitted  infringing  on  patents,  a  Novell  blog  pointed  out. 

Some  suggest  that  the  threat  of  patent  litigation  could 
be  turned:  There’s  as  much  potential  patent  infringement  in 
Windows  as  in  open  source,  says  Jim  Zemlin,  executive  direc¬ 
tor  of  the  Linux  Foundation,  a  nonprofit  that  promotes  the  OS. 

“Microsoft  is  certainly  not  the  only  owner  of  patents  in  this 
area,  and  perhaps  not  even  the  owner  of  the  largest  number 
of  patents  in  these  areas,"  Zemlin  says.  (The  Unix  code  on 
which  Linux  is  based,  of  course,  precedes  Windows.) 

Lindsay  calls  Microsoft’s  move  a  reaction  to  competitors 
like  Google.  “Their  business  model  is  fundamentally  chang¬ 
ing  and  Microsoft  is  using  the  courthouse  to  extend  their  old 
way  of  doing  business,"  he  says. 

-Elizabeth  Montalbano 


ILLUSTRATION  BY  IMAGES.COM/CORBIS 


www.cio.com  |  JUNE  15,  2007  15 


TRENDLINES 


The  Ferrari  of  | 

Videoconferencing  | 


ID  Fraud 

Continued  from  Page  15 


communications  Think  videoconferencing  with  muscle  and 
you’ve  got  telepresence.  This  ultrahigh-end  technology  features  HD, 
large  plasma  screens  and  fancy  acoustics  in  a  specially  constructed 
room.  Participants  appear  on  the  screen  in  life  size  and  with  zero  latency, 
says  Claire  Schooley,  a  senior  analyst  at  Forrester.  Should  this  emerging 
technology  be  on  your  radar  screen? 

While  telepresence  may  bridge  the  gap  between  meeting  participants 
in  a  way  that  wasn’t  possible  with  traditional  Web  videoconferences,  it’s 
still  cost-prohibitive  for  most  companies.  HP’s  telepresence  solution, 

HP  Halo,  rings  in  at  $425,000.  Cisco’s  Telepresence  3000  (a  six-seat, 
three-screen  telepresence  room)  and  solutions  from  Teliris,  Polycom  and 
Tandberg  each  cost  around  $300,000,  Schooley  says.  Add  on  monthly 
fees  for  a  concierge  service  to  operate  the  meeting  and  room  (sometimes 
offsite),  and  you  see  that  this  doesn’t  suit  a  small  organization.  However, 
it’s  effective  for  an  executive  who  makes  frequent  trips  among  global 
offices.  “Since  these  executives  would  use  first  class  fares,  in  the  long  run 
it’s  more  cost-effective  to  do  telepresence,"  she  says.  In  industries  where 
visuals  are  critical,  telepresence  could  also  earn  its  keep,  she  adds. 

An  alternative:  Upstart  firm  Telanetix  is  winning  some  attention  for  its 
approach.  Customers  can  get  started  for  $1,000  a  month  on  a  financing 
plan,  for  a  lower  up-front  investment.  Telanetix  says  this  makes  its 
offering  more  attractive  to  midsize  companies,  as  does  the  fact  that  its 
technology  plugs  into  your  existing  meeting  room,  whereas  the  Cisco 
and  HP  products  pose  strict  room  and  hardware  rules. 

Telepresence  users  are  still  relatively  elite,  but  globalization  and  the 
increasing  need  for  collaboration  will  drive  demand,  Schooley  says,  as 
will  frustrations  with  overseas  travel.  Research  firm  Frost  &  Sullivan  esti¬ 
mates  that  revenues  in  the  North  American  telepresence  market  totaled 
$27.6  million  in  2006  and  are  likely  to  reach  $610.5  million  in  2013. 

-Katherine  Walsh 


Why  Employees  Misbehave 

How  can  companies  best  promote  ethical  behavior  by  employees? 
According  to  recent  research,  your  first  thought  shouldn’t  be  training. 

It  should  be  helping  your  staffers  strike  a  good  work-life  balance: 


r_n,  26% 

Sr-e** 

^ence  on 

efhprorP°tinp 

^!ca'behafior 


60% 

reas°nwhv*°n,satop 

c°mpensatin  ClSl0ns- 
fle*ible  warttn  and 

are  k*y  facto*  fc'redu'e 

J!!!%d^p,oyeeft0 


Sa^7worZUlts 

Whentheyh^lly 


SOURCE:  Harris  Interactive 


money.  First,  Mellon  Investor  Services 
tried  a  system  in  2006  where  sharehold¬ 
ers  logging  in  for  the  first  time  were  sent 
an  investor  ID  via  postal  mail,  then  went 
online  to  request  an  access  code,  which 
was  sent  in  a  second  piece  of  postal  mail. 
Volume  to  Mellon’s  related  call  center 
went  up.  “We  needed  to  allow  real-time 
access  to  our  system,”  Librizzi  says. 

So  Mellon  rolled  out  a  KBA  solution 
from  Verid  in  March  2007.  Today,  Mel¬ 
lon  shareholders  get  the  investor  ID  by 
postal  mail,  then  visit  the  website  to 
answer  three  multiple-choice  questions. 
If  successful,  they  can  set  up  a  PIN  and 
use  the  system  immediately  if  desired. 

What  are  the  questions  like?  Accord¬ 
ing  to  Verid  COO  Chris  Rickborn,  the 
company  uses  data  derived  from  pub¬ 
lic  records,  much  of  it  from  regulated 
records  available  to  companies  doing  ID 
verification.  Questions  might  include  the 
color  of  your  car,  previous  addresses,  age 
range  of  a  family  member  or  date  of  pur¬ 
chase  of  a  property,  Rickborn  says. 

Among  the  aspects  of  KBA  that  Mel¬ 
lon  likes,  it  doesn’t  maintain  the  reposi¬ 
tory  of  personal  data  as  it  would  have  to 
with  hint-style  systems,  Librizzi  says. 

Why  not  choose  an  option  like  RSA- 
style  security  tokens?  Tokens  aren’t  a 
regulatory  requirement,  and  dual-factor 
authentication  “isn’t  realistic  with  a  base 
of  18  million  shareholders,”  Librizzi  says, 
noting  the  potential  for  lost  or  broken 
tokens. 

On  the  plus  side,  says  Gartner  VP 
and  Research  Director  Avivah  Litan, 
KBA  doesn’t  require  special  hardware 
or  client  software,  and  it  can  be  invoked 
at  any  time  in  the  customer  lifecycle. 

On  the  minus  side,  KBA  questions  and 
answers  are  subject  to  compromise, 
via  guessing  or  stealing  of  data  such  as 
credit  reports.  She  predicts  next-gen¬ 
eration  KBA  will  be  stronger  but  may 
involve  consumer  privacy  concerns. 

-Laurianne  McLaughlin 


16  JUNE  15,  2007  |  www.cio.com 


MULTIPLY  ENERGY  EFFICIENCY 
AND  MAXIMIZE  COOLING. 


THE  WORLD'S  FIRST  QUAD-CORE  PROCESSOR  FOR  MAINSTREAM  SERVERS. 

The  new  Quad-Core  Intel®  Xeon®  Processor  5300  series  delivers  up  to  150%  more  performance  than  the 
competition*  Based  on  the  ultra-efficient  Intel®  Core™  microarchitecture  it's  the  ultimate  solution  for  managing 
runaway  cooling  expenses.  Learn  why  great  business  computing  starts  with  Intel  inside.  Visit  intel.com/xeon 


’Performance  measured  using  SPECint*_rate_base2000  comparing  a  Quad-Core  Intel*  Xeon*  processor  X5355-based  platform  to  a  Dual-Core  AMD  Opteron*  processor 
Model  2220SE-based  platform.  Visitintel.com/performance  ®2007  Intel  Corporation.  Intel,  the  Intel  logo,  Intel.  Leap  ahead.,  Intel.  Leap  ahead.  Logo,  Intel  Xeon  and  Xeon 
Inside  are  trademarks  of  Intel  Corporation  in  the  United  States  and  other  countries. 


TRENDLINES 


TIPS  for  Training  Your  Tech  Vendors 


mid-market  When  you’re  a  mid-market  CIO,  you 
may  often  feel  like  you’re  not  receiving  your  vendors’  full 
attention.  After  all,  the  big  boys  have  more  money  to  spend 
and  more  staff  to  help  manage  vendor  relationships.  Want  to 
learn  a  few  new  tricks?  Here  are  some  tips  from  your  peers, 

traded  at  CIO’s  recent  leadership 
conference: 

1.  Share  the  business  plan. 

“I  am  very  much  into  collabora¬ 
tion  and  find  sharing  your  future 
business  plans  often  helps  the 
vendor  understand  just  what  is 
at  stake,”  says  Sandy  Rasel,  VP, 
global  process  and  applications 
management,  McCormick  & 
Company.  “You  are  able  to  have 
a  much  richer  dialogue  that  supports  your  future  direction 
and  engages  the  vendor  to  work  with  you.” 

2.  When  negotiating,  Web  search  first.  You’ll  be 
amazed  at  the  invoices  and  price  data  that  you  can  find 
online  when  you  search  on  a  particular  hardware  part 
number  or  software  package,  says  a  mid-market  CIO  who 


recently  used  this  tactic  when  purchasing  a  WAN  accelera¬ 
tion  device  and  some  high-end  analysis  software. 

3.  Show  ’em  the  competition.  “One  of  the  best  things 
we’ve  done  is  a  vendor  appreciation  day  event,”  says  Kevin 
Lupowitz,  CIO  for  Liquidnet  Holdings.  Typically  a  golf  out¬ 
ing  and  lobster  dinner,  this  “builds  great  partnerships  and 
individual  loyalty.  It  also  lets  our  vendors  see  who  else  we’re 
working  with,  which  helps  maintain  the  sense  of  urgency  to 
stay  competitive.” 

4.  Hire  away  one  of  the  vendor’s  sales  reps.  Who’s 
better  to  manage  your  relationship  with  that  vendor  than 
someone  who  knows  the  players  and  angles? 

5.  Play  the  Google  card.  Let  vendors  know  that  you’re 
interested  in  Google  Apps.  Better  still,  consider  band¬ 
ing  together  with  other  CIOs  and  presenting  Google  with 
requirements  regarding  Google  Apps,  says  Ben  Allegretti, 
former  U.S.  Marine  Corps  Systems  Command  CIO.  “What 
if  Google  responded  by  building  in  added  capabilities  to 
meet  our  requirements?  That  just  might  change  the  entire 
dynamic  of  our  relationships  with  some  of  our  software 
suppliers,”  he  says. 

- Laurianne  McLaughlin 


H  ow  to  Se  1 1  You  r  Staff  on  DASH  BOARDS 


MANAGEMENT  TOOLS  As 

dashboards— tools  that  show  IT  per¬ 
formance  metrics  and  other  measures 
in  one  graphics-rich  window— become 
more  widely  deployed,  you  must  posi¬ 
tion  them  well  to  your  staff,  says  Gloria 
Campbell,  associate  professor  of  busi¬ 
ness  administration  at  Wartburg  Col¬ 
lege  in  Iowa.  Selling  them  in  the  right 
way— especially  to  the  midlevel  and 
lower  ranks— will  help  you  utilize  the 
tools  effectively,  without  employees 
thinking  you’ve  channeled  Orwell  and 
gone  “1984”  on  them.  Her  advice: 

►  Let  employees  help  set  the  met¬ 
rics.  When  employees  help  determine 
what  a  dashboard  will  measure,  they’re 
more  likely  to  think  it’s  a  fair  tool  for 
measuring  productivity  and  perfor¬ 
mance.  "If  people  think  the  metrics  are 
appropriately  set,  they’re  not  going  to 
feel  as  threatened,”  says  Campbell. 


►  Stress  the  benefits  of  transpar¬ 
ency.  Tell  employees  they’ll  see  the 
type  of  data  that  years  ago  may  have 
lived  only  in  the  office  of  the  CFO. 
Employees  can  use  the  information  to 
stay  abreast  of  the  company’s  perfor¬ 
mance.  When  something  substantial 
happens  to  the  business,  they  won’t 
feel  broadsided. 

►  Explain  the  performance  upside. 

A  boss  who's  using  dashboards  to 
track  employee  performance  is  not 
hiding  a  secret  spreadsheet  that  tracks 


his  winners  and  losers,  only  to  be 
revealed  at  the  end  of  the  quarter.  “You 
not  only  know  how  you’re  doing,  you 
know  how  your  competitors  are  doing 
in  other  departments,”  Campbell  says. 

►  Show  how  dashboards  can 
prevent  problems.  Employees  can 
be  less  reactive,  and  more  proactive, 
when  using  dashboards— anticipating 
problems  and  solving  them  before  the 
boss  even  has  the  chance  to  pick  up 
the  phone. 

-C.G.  Lynch 


50% 


75% 


0% 


100% 


EMPLOYEE  SATISFACTION 


18  JUNE  15,  2007  |  www.cio.com 


IN  NOW 

RECOVERY  STARTS 
IMMEDIATELY 


EDS  introduced  a  mobile 
hospital  management  system 
which  gives  staff  instant  access 
to  medical  records  on  the 
move,  meaning  patient  care  is 
more  accurate  and  efficient. 

To  get  the  full  story  visit 
www. areyoureadyfornow.com 


III  ARE  YOU  READY  FOR  NOW? 


EXPERTISE.  ANSWERS.  RESULTS. 


TRENDLINES 


Beating  the  Bl  Blues 

business  intelligence  Many  companies  approach  business  intel¬ 
ligence  from  the  wrong  angle,  leading  to  a  lot  of  wasted  effort  by  IT.  In  fact,  compa¬ 
nies  spend  more  than  70  percent  of  the  time,  energy  and  money  they  dedicate  to 
business  intelligence  on  people  and  process  issues,  according  to  a  recent  Gartner 
study  of  Bl  accessibility.  That’s  a  costly  sink,  says  Gartner  analyst  Betsy  Burton.  "The 
mistake  a  lot  of  executives  make  is  trying  to  buy  technology  in  the  hopes  that  it  will 
apply  to  the  business  objective,”  Burton  says.  "Companies  should  start  any  business 
intelligence  effort  by  defining  the  business  objective  and  then  the  people,  metrics 
and  processes  that  support  those  objectives.” 

What  are  the  key  obstacles  that  IT  faces  in  constructing  efficient  Bl  systems?  A 
lack  of  effective  support  from  senior  management  really  hurts.  Yet  of  350  global 
organizations  Gartner  surveyed,  only  10  percent  of  Bl  and  performance  manage¬ 
ment  efforts  were  sponsored  by  a  C-level  executive.  Another  problem:  Many  compa¬ 
nies  come  at  the  Bl  issue  wanting  to  “fix"  or  “clean  up”  the  data.  “Cleaning  up  data  is 
not  a  business  objective,"  Burton  says.  But  that’s  how  many  IT  executives  drive  their 
company’s  Bl  efforts,  and  as  a  result,  the  IT  organization  spends  its  time  responding 
to  tactical  requirements,  instead  of  driving  business  objectives. 

“It’s  important  to  have  a  team  to  bridge  the  divide”  between  IT  and  business 
expectations,  she  says.  Companies  that  are  ahead  of  the  game  have  formed  busi¬ 
ness  intelligence  competency  centers  (BICC)  to  help  their  organization  master 
intelligence  management,  she  says. 

Smart  Bl  planning  will  only  grow  in  importance  for  CIOs.  Most  organizations 
are  facing  an  information  explosion  but  don’t  yet  have  a  management  strategy  for 
it— and  IT  can  sometimes  be  seen  as  the  root  of  this  problem,  Burton  says.  Looking 
ahead,  information  management  is  one  area  where  the  CIO  will  be  expected  to  act 
as  a  trusted  adviser  to  the  business. 


Best 

Practices 

ft  ft  Get  an  executive  to  sponsor 
your  information  manage¬ 
ment  efforts.  Consider  the 
organizational  structure, 
so  you  are  able  to  adapt  to 
changing  business  priorities. 


Define  the  objectives  neces¬ 
sary  to  del iver  the  business 
strategy.  Don't  get  mired  in 
cleaning  up  the  data.  Con¬ 
struct  your  Bl  plan  to  improve 
on  current  processes,  with  an 
eye  toward  technology  that 
plays  into  achieving  the  busi¬ 
ness  objectives. 


Compare  your  plan  with 
the  current  initiatives,  tools 
and  technologies.  Your  plan 
should  strike  a  balance 
between  strategic  perspective 
and  tactical  requirements.  It 
should  be  flexible  enough  to 
evolve  over  the  next  decade. 


Where  Are  the  Bl  Champions? 


Only  10%  of  Bl  efforts  are  sponsored  by  a  C-level 
executive  with  a  direct  linkto  the  business. 

40%  are  sponsored  by  other  business  executives. 

25%  are  sponsored  by  an  IT  manager. 

25%  have  no  executive  sponsor. 


This  is  why... 


Between  2006  and  2012, 
Global  1000  organizations 
will  experience  a  threefold 
increase  in  data,  content  and 
application  quality  issues. 


you’ll  need  Bl 


SOURCE:  Gartner 


20  JUNE  15,  2007  |  www.cio.com 


•  '  (I  ■  ' 

%••*•••  '"'V  ■  *’ 

'  aw  -  .v.  ■  *  v 


■mw 

k-“-- 


• .  -  V  *•  •$*.- 


■  f  i'  V  v.v  '\V*' 

I.  -  *  .'  , 


Need  people 

who  know  technology 

that  didn’t  exist  yesterday? 

What  do  you  do? 


Your  industry  can  change  from  one  day  to 
the  next.  At  Manpower  Professional,  our 
IT  recruiters  can  help  you  find  the  highly 
skilled  professionals  you  need  to  keep  up 
with  that  change.  Whether  it’s  a  placement 
or  contract  assignment,  a  single  network 
administrator  or  a  whole  team  of  business 
analysts.  Discover  what  tomorrow  will  bring 

manpowerprofessional.com/next 


Manpower 

Professional 


Manpower  Inc. 


...IBsfe*.',..  ‘-A 


ADVERTISEMENT 


CIO  EXECUTIVE  VIEWPOINT 

Integrated  Virtualization: 

Transforming  IT  Infrastructures  to  Deliver  More  Value 


Scott  Crenshaw 

Vice  President,  Enterprise  Linux  Line  of  Business,  Red  Hat 

Scott  Crenshaw  holds  P&L  responsibility  for  Red  Hat  Enterprise  Linux  Platform,  in¬ 
cluding  the  company's  storage,  security  and  client  product  lines.  Previously,  he  was  CEO 
of  security  technology  vendor  NTRU,  and  held  several  executive  positions  at  enterprise 
software  vendor  Datawatch.  Crenshaw  received  an  MBA  from  the  Massachusetts  Insti- 
tute  of  Technology  and  a  BS  in  computer  science  from  North  Carolina  State  University. 


The  real  promise  of  virtualization  extends 
far  beyond  consolidation.  “Delivered  as  a 
common  platform  for  servers  and  storage, 
virtualization  fundamentally  transforms  IT’s 
ability  to  build  a  more  flexible  and  responsive 
infrastructure,”  says  Scott  Crenshaw,  vice 
president  at  Raleigh,  N.C. -based  Red  Hat. 
Read  on  for  more  insight  from  Crenshaw  on 
this  hot  topic. 

How  can  virtualization  unlock  the  real 
value  of  IT  investments? 

Virtualization  makes  IT  more  responsive, 
more  flexible  and  more  cost-effective.  Con¬ 
solidation  is  the  poster  child  for  good  reason: 
Industry  statistics  show  that  average  serv¬ 
ers  are  utilized  at  only  15  to  20  percent,  so 
there’s  a  lot  of  wasted  capacity.  Virtualization 
enables  better  utilization  to  get  more  out  of  IT 
assets.  Virtualization  also  offers  higher  avail- 
ability,  better  response  tunes  and  more  agility, 
and  it  does  all  this  while  reducing  costs — not 
increasing  them.  To  fully  unlock  its  potential, 
enterprises  must  deploy  serv  er  and  storage 
virtualization  as  a  common  platform. 

"Virtualization  makes  IT  more 
responsive,  more  flexible 
and  more  cost-effective" 

What  does  integrated  virtualization 
technology  bring  to  the  table? 

The  economies  of  buying  and  supporting 
virtualization  as  an  add-on  require  business 
cases  for  every  server.  This  effectively  limits 
use  to  obvious  purposes  like  server  consolida¬ 
tion  and  testing.  But  that’s  just  the  tip  of  the 
iceberg.  Through  integration  with  the  operat¬ 
ing  system,  the  economics  of  virtualization 
are  being  redefined,  making  once-impractical 
use  cases  possible.  Now,  virtualization  can  be 
used  for  high  availability,  disaster  recovery 
and  even  capacity  on  demand.  Integrated 
virtualization  also  yields  better  performance 
and  much  simpler  deployment  because  all 
of  the  components  come  preassembled,  pre¬ 
tested  and  preintegrated. 


What  are  today’s  “must  have” 
management  capabilities? 

For  many,  virtualization  usage  is  still  devel¬ 
oping,  so  the  management  needs  are  fairly 
straightforward:  the  ability  to  provision 
machines,  start  and  stop  them,  manage  re¬ 
source  utilization,  monitor  performance,  etc. 
However,  as  virtualization  evolves,  manage¬ 
ment  requirements  will  grow  substantially 
to  include  things  like  policy-based  resource 
management  and  migration  management, 
not  just  within  the  enterprise  but  to  shared 
resources  in  the  cloud.  Most  organizations 
need  to  develop  a  degree  of  expertise  and 
comfort  with  virtualization,  and  maturity 
with  some  of  the  purchasing  and  political 
patterns  associated  with  IT  deployment, 
before  they’ll  need  these  more  advanced 
management  capabilities. 

What  are  some  of  the  advantages 
of  implementing  Linux-based 
virtualization? 

Linux  is  an  appealing  virtualization  platform 
namely  because  it’s  known  for  the  character¬ 
istics  enterprises  look  for  in  product  deploy¬ 
ment:  reliability,  availability  and  security. 

In  addition,  the  open  source  model  means 
the  quality  and  security  characteristics  of 
Linux  are  verified  by  literally  millions  of 
eyeballs,  not  just  the  QA  resources  of  a  single 
vendor.  Enterprises  need  to  know  that  their 
infrastructure  is  secure  today  and  that  it  will 
remain  so  over  time.  That  assurance  can 
only  be  achieved  by  encouraging  indepen¬ 
dent  scrutiny  on  a  very  large  scale. 

What  are  the  key  elements  of  a  great 
virtualization  strategy? 

First,  deploy  virtualization  in  a  thought¬ 
ful  manner,  determining  w  hich  areas  can 
achieve  the  best  performance,  consolidation 
or  availability  gains,  and  putting  some  early 
wins  on  board.  Second,  build  on  a  solid 
virtualization  platform,  one  that  has  great 
reliability,  availability  and  security,  and  that 
provides  the  economics  for  universal  devel¬ 
opment.  Third,  as  comfort  builds,  expand  its 


use  beyond  the  initial  applications,  making 
virtualization  the  basis  for  an  IT  infrastruc¬ 
ture  that  delivers  better  service,  responsive¬ 
ness,  availability  and  economics.  In  short, 
start  small  and  think  big. 

Where  is  Linux  on  the  maturity  scale 
as  an  enterprise-wide  virtualization 
solution? 

Driven  by  its  performance,  reliability  and 
economic  benefits,  Linux  is  demonstrably  the 
platform  of  choice  for  mission- critical,  highly 
available  applications,  spanning  from  the 
core  of  the  data  center  to  the  edge  of  the  net¬ 
work.  The  beauty  of  the  open  source  model 
is  that  customers  have  been  participating  in 
the  evaluation  of  Linux-based  virtualization 
for  more  than  two  years,  so  today’s  solutions 
reflect  that  field  experience.  And  wdth  open 
source,  innovation  occurs  quickly.  Customers 
can  develop  a  very  stable  platform  today  and 
over  time  adopt  new  management  tools  that 
wall  substantially  expand  the  benefits  they 
can  derive  from  virtualization. 


For  More  Information:  Check  out  this 
white  paper,  “Dynamic  IT:  Expand  Your 
Capabilities  With  Red  Hat  Open  Source,” 
at  wvvw.cio.com/whitepapers/redhat. 


m  redhat. 


Custom  Solutions  Grou 


ESSENTIAL 


FROM  INCEPTION  TO  IMPLEMENTATION  — I. T.  THAT  MATTERS 


Edited  by  Laurianne  McLaughlin 

lmclaughlin@cio.com 


Virtualized  servers 
create  power  and 
hardware  savings 
—and  headaches, 
if  you’re  not  careful. 
Management  tools 
can  help  automate 
oversight. 


Thinking  Inside 
the  Boxes 

BY  KATHERINE  WALSH 

DATACENTER  |  For  Monster.com,  the  initial  benefits  of  virtualization  in  the  data  cen¬ 
ter  were  easy  to  see:  With  500  virtual  machines  (VMs)  running  on  17  servers.  Monster 
cut  power  and  hardware  spending  and  improved  efficiency,  since  virtual  machines  can  be 
deployed  much  faster  than  standard  hardware.  But  as  Monster’s  virtual  environment  got 
big,  and  got  big  fast,  management  problems  arose.  The  worst  one:  The  company  didn’t  have 
enough  visibility  into  which  applications  were  competing  with  each  other  across  storage 
and  server  resources— and  this  was  affecting  IT’s  ability  to  meet  service-level  goals,  says 
Pete  King,  manager  of  monitoring  and  analysis  at  Monster. 

“We  ran  into  a  lot  of  contention,”  says  King. 

So  King  turned  to  BalancePoint,  a  workload  balancing  and  applications  service-level- 
management  tool  from  startup  Akorri,  to  ease  the  pain.  BalancePoint  shows  when  and 
why  a  particular  VM  is  not  performing  up  to  standard,  and  based  on  that  data.  King  can 
redistribute  the  load  to  increase  efficiency.  It  analyzes  performance  on  the  VMware  side 
and  storage  area  network  side  to  avoid  virtual  fights  for  resources. 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


www.cio.com  |  JUNE  15,  2007  23 


essential  technology 


Now  that  Monster  has  been  using  Balance- 
Point  for  a  little  more  than  a  year,  “there’s 
less  trial  and  error,”  says  Paul  Neilson, 
senior  vice  president  of  technology  services. 
Monster  no  longer  has  to  move  VMs  around 
based  on  “intuition,”  he  adds. 

Almost  everyone  using  server  virtual¬ 
ization  will  bump  up  against  one  or  more 
of  the  common  management  problems, 
including  workload  balancing,  “VM  sprawl” 
and  disaster  recovery  plan  complications, 
says  IDC  analyst  Stephen  Elliot.  Tools  from 
VMware  and  a  growing  number  of  third- 
party  vendors  can  help. 

Keep  Your  Balance 

Workload  balancing  can  be  a  tough  problem 
to  get  your  arms  around.  One  key  benefit 
of  virtual  machines  is  the  ability  to  move 
them  easily  from  one  physical  server  to 
another.  Problem  is,  it’s  hard  to  know  how 
many  VMs  on  a  particular  server  are  too 
many— since  the  answer  may  depend  on 
the  applications,  plus  factors  like  memory 
and  attached  storage.  In  an  environment 
where  critical  applications  compete  for 
the  same  server,  it  becomes  difficult  to  see 


which  applications  are  contending  with 
each  other,  and  this  affects  a  company’s 
ability  to  prevent  slowdowns. 

For  Monster,  managing  this  challenge 
required  multiple  tools,  a  situation  that’s  not 
uncommon.  Monster  uses  Akorri’s  Balance- 
Point  to  augment  the  capabilities  of  VM  ware’s 
two  main  management  products,  VMotion 
(which  increases  hardware  utilization  by 
migrating  VMs  on  failing  or  underperform¬ 


ing  servers  to  another  machine)  and  Distrib¬ 
uted  Resource  Scheduler  (which  couples 
with  VMotion  to  allocate  resources  to  high- 
priority  VMs  based  on  preestablished  rules 
you  set). 

A  key  point:  DRS  and  VMotion  show 
where  to  balance  workload,  but  they 
aren’t  analytical  and  don’t  see  contention 
with  other  apps  outside  of  VMware,  King 
says.  Since  BalancePoint  isn’t  tied  to  the 
OS,  it  can  see  if  VMware  performance  is 
impacted  by  other  apps  residing  on  the 
same  SAN  resources,  he  says.  “DRS  just 
sees  what  it  sees  for  performance  through 
the  host  (CPU,  memory  and  storage),  but 
it  can’t  see  what  the  database  server  that’s 
on  the  same  side  as  the  SAN  is  doing,” 
says  King. 

The  more  VMs  you  move  into  produc¬ 
tion,  the  more  critical  predictability  becomes, 
says  Rick  Knode,  director  of  computing 
and  communications  infrastructure  for 
San  Diego  Data  Processing  Corp.  (SDDPC), 
a  nonprofit  provider  of  government  IT 
solutions  that  serves  customers  like  state 
agencies.  Knode  needed  help  managing 
resources  in  the  company’s  current  envi¬ 


ronment  (50  VMs  on  three  servers)  and  in 
the  future:  Approximately  100  additional 
VMs  will  be  added  to  production  in  the 
next  fiscal  year,  Knode  says.  He  looked  to 
Vizioncore’s  esxCharter  tool  to  obtain  per¬ 
formance  information  on  SDDPC’s  VMware 
ESX  servers  in  real-time.  This  tool  looks  at 
performance  levels  and  processes  running 
inside  the  virtual  machine.  Being  able  to 
adjust  the  CPU  power  and  memory  alio- 


Average 
utilization 
of  an  Intel- 
based  server: 
less  than 
10%.  Excess 
server  capac¬ 
ity  sitting 
around 
worldwide: 


SOURCE:  IDC 


cated  to  VMs  is  critical  when  you  need  to 
make  on-the-fly  adjustments  and  termi¬ 
nate  or  move  processes  that  are  adversely 
affecting  environments,  Knode  says.  “It 
gives  you  more  visibility  into  what’s  going 
on.”  For  example,  if  a  specific  VM  is  eating 
away  at  one  of  his  processors  and  affecting 
other  VMs  on  that  processor,  he  can  use  DRS 
and  VMotion  to  move  the  VM  onto  another 
processor.  But  he  says  he  wouldn’t  know 
which  VMs  to  move  without  Vizioncore. 

At  Wachovia,  the  fourth  largest  bank  in 
the  United  States,  Tony  Bishop,  chief  archi¬ 
tect,  turned  to  Scalent  for  help  balancing 
workloads  for  his  1,000  VMs  running  on 
a  few  hundred  servers  used  in  develop¬ 
ment,  testing  and  back-office  roles.  Sca¬ 
lent,  which  may  be  used  independently 
or  in  concert  with  VMware,  helps  Bishop 
repurpose  servers  quickly.  “Some  of  the 
other  [management]  tools  we  looked  at  also 
have  forms  of  provisioning,  but  they  don’t 
have  the  ability  to  act  in  as  near  real-time 
as  possible,  like  Scalent  can,”  says  Bishop. 
Scalent’s  software  gives  him  management 
flexibility  when  apps  are  competing  for 
resources,  he  says. 


Monster  didn’t  have  enough 
visibility  into  which  apps  were 
competing  across  storage  and 
virtual  server  resources:  ‘We  ran 
into  a  lot  of  contention.” 

-Pete  King,  manager  of  monitoring  and  analysis,  Monster.com 


24  JUNE  15,  2007  |  www.cio.com 


mmm 


When  you  need  someone  to  go  the  extra  mile. 

Above  and  beyond.  Far  and  wide  - 
to  get  you  the  IT  help  you  need,  we're  there. 


More  demands  and  more  pressure.  Less  time  and  fewer  resources.  Business  today  is  full  of  challenges.  When  it  comes  to 
technology,  CDW  will  do  what  it  takes  to  respond  to  your  needs.  We  have  products  from  the  top  names  in  the  industry, 
in  almost  every  technology  category  imaginable.  Our  dedicated  account  managers  and  technology  specialists  can  offer 
advice  and  create  solutions,  from  the  simple  to  the  complex.  We  even  have  a  full  range  of  custom  configuration  services 
at  your  disposal.  So  call  CDW  today  and  get  the  IT  help  you  need  when  you  need  it. 


CDW.com  800.399.4CDW 


©2007  CDW  Corporation 


The  Right  Technology.  Right  Away. 


>  b  }•■> , 


:*  > ;• 


August  19  -21,  2007 
La  Costa  Resort  &  Spa 
Carlsbad,  California 


innovation 

without 

boundaries. 


CIO  too 

SYMPOSIUM  &  AWARDS  CEREMONY 


in*no*va*tion  (noun)  a  creation  (a  new  device  or 
process)  resulting  from  study  and  experimentation— 
the  act  of  starting  something  for  the  first  time; 
introducing  something  new. 

in#spi*ra*tion  (noun)  Stimulation  of  the  mind  or 
emotions  to  a  high  level  of  feeling  or  activity  —  the 
condition  of  being  so  stimulated.  An  agency,  such  as 
a  person  or  work  of  art,  that  moves  the  intellect  or 
emotions  or  prompts  action  or  invention.  Something, 
such  as  a  sudden  creative  act  or  idea,  that  is  inspired. 


See  how  CIOs  in  every  industry  fostered,  developed  and  implemented  innovative  ideas 
that  challenged  prevailing  business  models,  shook  up  the  competition  and  delivered 
ROI  to  the  enterprise. 

Come  share  your  thoughts  and  discuss  your  challenges  with  some  of  the  foremost 
experts  and  award  winning  CIOs  in  the  country  as  we  unveil  the  100  winners  of  this 
year’s  CIO  100  Awards. 

come  be  inspired. 


underwriter: 


The  new 


at&t 

Your  world.  Delivered. 


produced  by: 


Business 

Technology 

Leadership 


official  hosts: 

i  R  i  s  e’ 

VISUALIZE.  INNOVATE.  DELIVER"* 


sponsors: 


Think  liquid. 


CiTRIX 


m  redhat. 

Symantec. 


rnrMAe 

VJLAiniVJI 

Fujfrsu 


§sas 


For  program  details  or  to  register  visit  www.cio.com/ciol 00_07  or  call  800.355.0246. 


■m 


essential  technology 


Masters  of  Disaster 

Flexibility  also  pays  with  regard  to  disas¬ 
ter  recovery,  an  area  where  CIOs  are 
increasingly  looking  to  virtualization. 
Nate  Stuyvesant,  CTO  of  Genilogix,  an  IT 
consultancy,  says  disaster  recovery  is  his 
company’s  biggest  IT  management  issue, 
period.  He’s  not  alone. 

According  to  Gartner  data,  70  percent 
to  75  percent  of  Gartner’s  clients  who  are 
using  virtualization  for  x86  servers  are 
also  using  it  for  disaster  recovery. 

Genilogix  runs  60  VMs  on  four  servers 
across  development,  testing  and  produc¬ 
tion  environments.  Stuyvesant  relies  on 
VMotion  to  move  a  server  over  to  another 
physical  box  and  effectively  eliminate 
downtime,  VMware’s  DRS  tool  alone  is  a 
cogent  reason  to  consider  virtualization  in 
the  first  place,  he  says. 

Eric  Miller,  president  and  CEO  of  Gen¬ 
esis  Multimedia,  a  Web  hosting  company 
that  also  designs  its  customers’  Web 
applications,  uses  VMotion  to  increase 
uptime  and  improve  reliability  in  his 
environment  of  55  virtual  machines  run¬ 
ning  on  three  hosts,  where  some  customers 
need  higher  utilization  than  others. 
Miller  relies  on  VMotion,  driven  by  DRS,  to 
move  the  virtual  machines  around. 

Genesis  is  no  stranger  to  virtualiza¬ 
tion— it  has  been  operating  in  a  virtual 
server  environment  since  VMware  made 
its  debut— but  management  isn’t  always 
easy.  The  initial  move  to  consolidate  12 
servers  used  for  Web  hosting,  and  two 
larger  servers  for  database  systems,  helped 
Genesis  manage  its  physical  servers,  but 
moving  virtual  machines  around,  imple¬ 
menting  patches  and  performing  BIOS 
upgrades  without  experiencing  downtime 
was  difficult,  Miller  says.  As  an  infrastruc¬ 
ture  provider,  Genesis  must  provide  high 
service  levels,  so  uptime  is  critical.  “We 


Virtual  Tutorial 


For  more  background  and  tips  on  doing  virtuali¬ 
zation  right,  see  ABC:  AN  INTRODUCTION 
TO  VIRTUALIZATION,  www.cio.com/article/ 
40701 

cio.com 


couldn’t  maintain  those  without  VMotion 
and  DRS,”  says  Miller. 

Add-on  tools  can  help  address  the  prob¬ 
lem  of  “VM  sprawl,”  by  keeping  track  of 
how  many  VMs  you  have  and  where. 

“It’s  somewhat  ironic  that  the  benefit  of 
virtualization  is  resource  optimization, 
but  it  encourages  messy  behavior,”  says 
Cameron  Haight,  a  research  vice  president 
at  Gartner,  noting  that  almost  all  his  clients 
cite  VM  sprawl  as  a  big  worry.  “You  can 
spend  these  things  so  quickly  that  you  lose 
track  of  what  you  have,”  Haight  says. 

SDDPC’s  Knode  says  Vizioncore  helps 
him  prevent  VM  sprawl  in  the  first  place. 
“By  watching  the  metrics  of  the  virtual 
environment,  we  plan  ahead.  So  by  using 
VMware  and  Vizioncore  I  can  see  how 
many  additional  resources  are  available 
on  an  ESX  host,  and  when  is  a  good  point 
to  move  machines  or  purchase  additional 
servers  or  storage.  We’re  using  the  product 
as  a  preventative  measure.” 

Virtualization  3.0 

Monster’s  King  and  Wachovia’s  Bishop 
both  say  they’d  like  virtualization  manage¬ 
ment  vendors  to  take  the  next  step— bet¬ 
ter  integration  of  their  tools  with  existing 
management  software.  For  example,  King 
would  like  to  see  the  tools  in  HP’s  Mercury 
Business  Availability  Center  suite  (which 
Monster  uses  for  transaction  and  infra¬ 
structure  monitoring)  integrated  with  Bal- 
ancePoint. 

Bishop  agrees:  “We’ve  achieved  very 
good  results,  but  we’re  trying  to  create  an 
integrated  management  capability  with 
all  the  tools  in  one  view.”  Bishop,  who 
uses  HP’s  Mercury  BAC  suite,  OpTier 
CoreFirst  and  Symantec  i3,  would  like  to 
see  these  tools  better  integrated  with  Sea- 
lent,  VMware  and  DataSynapse,  which  he 
uses  for  application  virtualization.  After 
all,  he  says,  virtualization  tools  can  solve 
manageability  issues,  but  CIOs  want  a 
holistic  management  picture.  E3I3 


Reach  Associate  Staff  Writer  Katherine  Walsh 
at  kwalsh@cio.com.  To  comment  on  this  article, 
go  to  www.cio.com/article/117256. 


TOOLBOX 

Virtual 

Success 

VMware 

VMotion  and  Distributed  Resource 
Scheduler  (DRS)  are  part  of  the 
VMware  Infrastructure  3  suite’s  enter¬ 
prise  edition.  DRS  handles  dynamic 
workload  balancing,  while  VMotion 
migrates  VMs  across  physical  servers. 

Scalent  Systems 

Scalent’s  Virtual  Operating  Environ¬ 
ment  (V/OE)  tools,  which  may  be  used 
with  or  without  VMware,  maintain 
network  and  storage  connections 
while  moving  servers.  Scalent  also 
redeploys  servers  in  case  of  failure 
or  load  change. 

Vizioncore 

Vizioncore ’s  esxChartertool  augments 
the  capabilities  of  VMware,  letting  you 
compare  the  performance  of  individ¬ 
ual  VMs,  spot  bottlenecks  and  create 
long-term  performance  reports. 

Akorri 

Akorri's  BalancePoint  bridges  the  gap 
between  server  and  storage  compo¬ 
nents,  providing  insight  into  virtual¬ 
ized  machines  and  the  SAN,  locating 
points  of  contention  and  providing 
troubleshooting  analysis. 

You’ll  find  about  50  other  vendors 
tackling  virtualization  management, 
says  Cameron  Haight,  a  research  VP  at 
Gartner,  including:  Platespin  (disaster 
recovery  and  migration):  Aurema 
(recently  acquired  by  Citrix,  VMware 
resource  management):  Cirba  (data 
center  consolidation  planning):  BMC 
(capacity  planning):  and  CA  (perfor¬ 
mance  monitoring  across  multiple 
infrastructures,  including  VMware, 
SunandAlX).  -K.W. 


28  JUNE  15,  2007  |  www.cio.com 


ADVERTISEMENT 


_ IP  COMMUNICATIONS  ON  THE  BRAIN 

IDG  RESEARCH  SHOWS  TANGIBLE  BENEFITS  ARE  PUSHING  VOIP  ADOPTION 
INTO  THE  MAINSTREAM 


“Technology  adoption  nirvana  occurs  when  a  core 
need  drives  both  the  business  and  IT  organizations,” 
says  Joseph  Staples,  senior  vice  president  of  world¬ 
wide  marketing  at  Indianapolis,  IN-based  Interactive 
Intelligence,  Inc.  “IP  communications  exemplifies  this 
phenomenon.” 

But  are  enterprises  really  on  board  for  widespread 
adoption? 

In  a  recent  survey,  IDG  Research  Services  asked  senior 
IT  and  corporate  management  leaders  from  a  cross- 
section  of  industries — including  financial  services, 
healthcare,  government,  high-tech,  manufacturing  and 
more — just  that.  Their  answer:  a  resounding  “yes.” 
Despite  some  lingering  market  perceptions,  IP  commu¬ 
nications  is  a  mature  technology  in  the  midst  of  broad 
adoption — primarily  due  to  the  many  tangible  benefits 
for  both  IT  and  business  leaders. 

Read  on  to  learn  more  about  survey  results. 

IP  PBXS  ARE  IN  THE  MAINSTREAM 

Some  63  percent  of  respondents  indicate  they  will  have 
IP  PBXs  installed  within  12  months,  up  from  50  percent 
who  have  the  technology  today.  Additionally,  hosted 
Voice-over-IP  (VoIP)  use  will  grow  from  23  percent  to  30 
_ percent  in  the  coming  months. 

Business  needs  are  driving  CIOs  are  migrating  to  IP  corn- 

investments  in  IP  communications.  munications  for  access  to  more 

advanced  telephony-based 
applications,  help  in  managing 
distributed  business  environments  and,  of  course,  the 
promise  of  significant  cost  savings. 

“But  what’s  truly  fascinating  is  the  ‘follower  mentality’ 
that’s  at  play  here,”  says  Staples.  “Some  enterprises  will 
implement  VoIP  simply  because  it’s  the  thing  to  do.”  A 
spot-on  decision,  albeit  undefined. 

Of  those  burgeoning  applications  for  IP  telephony,  re¬ 
spondents  expect  an  increase  in  unified  messaging  de¬ 
ployments  from  30  percent  to  49  percent  in  the  next  12 
months.  Unified  messaging  is  the  long-heralded  “killer 
app”  that,  thanks  to  VoIP,  may  finally  be  taking  hold. 


Respondents  point  to  videoconferencing,  unified 
messaging,  audioconferencing  and  remote/teleworker 
solutions  as  top  priorities  for  future  investments  in  IP 
communication  solutions. 

BUSINESS  IMPERATIVES  ARE  DRIVING 
INVESTMENTS 

Perhaps  most  intriguing:  Business  needs  are  driving  in¬ 
vestments  in  IP  communications.  Respondents’  primary 
reasons  include  the  need  for  more  connectedness,  the 
increase  in  mobile  employees,  the  desire  for  increased 
productivity  and  user  demand  for  current  technology. 

“Business  managers  are  pushing  for  VoIP  implementa¬ 
tions  and  applications  because  being  unconnected 
during  a  layover  at  the  airport  simply  doesn’t  cut  it 
anymore,”  says  Staples. 

But  IT  is  on  board  too  as  VoIP  technology  is  seen  as  an 
effective  method  to  ease  deployments,  eliminate  the 
need  for  separate  communication  paths,  and  ensure 
employees  have  the  same  communication  experience 
regardless  of  location. 

Product  performance  (74  percent)  and  security  (63 
percent)  are  top-rated  criteria  in  the  selection  process. 

Roughly  one-half  of  respondents  rate  their  current 
vendors  as  “excellent”  or  “very  good”  in  terms  of  deliv¬ 
ering  on  performance  and  security.  Yet,  average  vendor 
performance  vs.  average  importance  is  surprisingly  low 
for  such  important  items. 

“This  gap  is  created  by  lesser-known,  less-experienced 
IP  telephony  vendors,”  concludes  Staples.  “If  you  carve 
out  solutions  from  the  top  10  vendors,  that  gap  would 
narrow  quickly.” 


Investment  in  IP  communications  isn’t  a  mat¬ 
ter  of  if,  but  rather  when.  Go  to  www.cio.com/ 
whitepapers/inin  now  to  obtain  a  free  down¬ 
load  of  the  full  survey  results  with  enlightening 
commentary  from  key  respondents. 


Speech  recognition  is  also  anticipated  to  grow  signifi¬ 
cantly,  largely  because  it’s  now  more  affordable  and 
reliable.  Similarly,  presence  management  is  slotted  for 
expansion  as  its  use  continues  to  extend  beyond  the 
contact  center. 


Interactive  Intelligence' 

Deliberotely  Innovative 


bub 

Custom  Solutions  Group 


Martha  Heller  CAREER  STRATEGIST 


Nothing  Ventured, 

Nothing  Gained 

How  working  with  VCs  can  help  your  career  take  off 

As  you  flip  through  the  pages  of  your  Rolodex  (or 
more  likely,  your  Outlook  database),  some  stan¬ 
dard  categories  of  contacts  will  regularly  appear: 
past  colleagues,  former  bosses,  executive  recruit¬ 
ers,  vendors  and  the  like.  Now  look  again:  If  “venture  capital¬ 
ists”  does  not  appear  as  one  of  your  primary  networking  groups, 
you  are  missing  out  on  what  could  be  a  major  catalyst  for  your 
career. 

VCs  frequently  ask  me  to  introduce  them  to  my  network  of 
CIOs,  and  it’s  easy  to  understand  why.  CIOs  have  much  to  offer 
a  VC  in  need  of  customer  feedback  on  the  product  potential  of 
their  portfolio  companies. 

“Most  VC  firms,  particularly  those  who  invest  in  enterprise 
technology  companies,  have  an  interest  in  engaging  with  CIOs,” 
says  Peter  Solvik,  former  CIO  of  Cisco  Systems  and  now  manag¬ 
ing  director  at  Sigma  Partners.  “CIOs  can  be  very  valuable  in 
helping  a  VC  firm  evaluate  a  particular  investment.  The  hands- 
on  experience  a  CIO  has  had  allows  him  or  her  to  ask  different 
questions  than  a  VC  might.” 

What  a  CIO  has  to  gain  from  the  relationship  can  be  a  bit 
harder  to  pin  down.  But  in  conversations  with  both  CIOs  and 
VCs  about  this,  there  is  consensus  that  such  arrangements  are 
a  two-way  street.  For  the  CIO,  they  say,  there  are  four  significant 
benefits. 

1.  Learning  About  the  Technology  Landscape 

While  it  is  true  that  most  of  today’s  CIOs  eschew  the  straight  tech¬ 
nology  role  in  favor  of  business  leadership,  technology  knowledge 
is  still  a  CIO’s  primary  differentiator.  Knowing  which  technolo¬ 
gies  are  on  the  horizon  remains  critical  to  your  role,  regardless 


30  JUNE  15,  2007  |  www.cio.com 


ILLUSTRATION  BY  JAMES  O'BRIEN 


©2006  Toshiba  America  Business  Solutions.  Inc 


PROFIT  PROTECTOR  &  POCKET  PROTECTOR 


A  new  day  is  dawning 


TOSHIBA  bridges  the  gap  between  finance  and  IT  with  e-BRIDGE  technology.  Tech  gurus  geek  out  on 
this  network-ready  solution  that  manages,  distributes  and  controls  data  via  the  network.  The  finance  department  loves 
uptime  tools  that  automatically  alert  you  when  toner  is  low,  service  is  necessary,  or  parts  and  supplies  are  needed. 

It’s  a  new  day.  At  least  it  is  until  tomorrow.  LetTheHarmonyBegin.com 


TOSHIBA 

Don't  copy.  Lead.® 


Martha  Heller  career  strategist 

of  your  reach  into  the  business. 

“Successful  CIOs  are  always  looking  at  how  they  can  apply 
technology  to  advance  their  company,”  says  Asheem  Chandna, 
partner  at  VC  firm  Greylock  Partners. 

“The  best  VCs  are  familiar  with  the  technology  landscape  and 
the  business  value  these  technologies  can  deliver.  For  the  CIO,  a 
key  benefit  to  working  with  VCs  is  the  window  they  offer  into 
emerging  technology,”  says  Chandna. 


vider  to  the  securities  market,  opened  a  search  for  a  COO, 
McDaniel  was  an  attractive  candidate.  McDaniel  had  met 
with  Blue  Frog  as  a  prospective  customer,  and  he  knew  the 
company  from  the  market  perspective.  More  important,  he 
had  already  established  a  relationship  with  Pershing,  Blue 
Frog’s  primary  investor. 

“While  I  was  at  Mutual  Service,  I  served  on  the  technology 


If  "venture  capitalists"  does  not 
appear  as  one  of  your  primary 
networking  groups,  you  are 
missing  out  on  what  could  be  a 
major  catalyst  for  your  career. 


2.  Gaining  Board  of  Directors 
Experience 

For  any  CIO  who  is  looking  to  secure  a  CEO 
position  someday,  experience  on  a  board  of 
directors  is  a  critical  item  on  your  resume. 

But  that  first  board  position  can  be  extremely 
challenging  to  obtain.  The  CIO-VC  connec¬ 
tion  provides  one  route  toward  landing  your 
first  role. 

“Start  on  an  advisory  board,”  suggests 
Solvik.  “If  the  VCs  and  the  company’s  management  team  see 
that  you  have  strategic  insight  into  the  company  and  can  help 
on  positioning  and  execution,  they  may  extend  your  role  to  the 
board  of  directors.” 

3.  Getting  Access  to  Potential  Startup  GM  Roles 

While  IT  startups  should  be  the  perfect  environment  for  CIOs 
to  move  into  their  first  general  management  role,  startups 

themselves  typically 
do  not  see  it  that  way. 
The  companies  usually 
have  a  technology  expert 
on  board  already— the 
entrepreneur  (usually 
the  CTO)  who  came  up 
with  the  idea  in  the  first  place.  Instead,  they  are  looking  for 
execs  with  experience  in  sales,  finance  and  marketing.  They 
often  see  CIOs  as  risk  averse  and  as  possessing  experience  run¬ 
ning  large,  complex  organizations,  not  sprightly  product  devel¬ 
opment  teams.  Here  is  where  your  VC  contacts  can  be  highly 
effective. 

“When  we  hire  members  of  senior  management  teams  in  our 
small  growth  companies,  in  addition  to  a  demonstrated  track 
record  in  the  functional  area  and  relevant  market  knowledge, 
we  look  for  critical  personal  attributes  like  integrity,  intellect, 
passion  and  the  ability  to  execute,”  says  Chandna. 

If  you  approach  your  board  activities  as  a  long  interview  pro¬ 
cess  for  a  GM  role  in  a  technology  startup,  you  have  ample  oppor¬ 
tunity  to  demonstrate  these  personal  attributes  and  compensate 
for  the  fact  that  you  have  never  led  a  sales  organization. 

Chris  McDaniel  is  a  case  in  point.  McDaniel  was  CIO  of 
Mutual  Service,  a  securities  brokerage,  for  more  than  five 
years.  When  Blue  Frog  Solutions,  a  startup  technology  pro¬ 


board  for  the  National  Association  of  Securities  Dealers,  where 
Pershing  had  representatives.  Talking  with  the  Pershing  people 
about  hot-button  issues  in  our  industry  really  helped  me  to  cul¬ 
tivate  those  relationships,”  he  says.  It  also  allowed  Blue  Frog’s 
investors  to  see  McDaniel  as  an  industry  player  and  as  Blue 
Frog’s  COO. 

4.  Test-Driving  a  VC  Career 

Oh,  to  lead  the  life  of  a  successful  venture  capitalist.  You  wake 
up,  work  out,  put  on  a  designer  suit,  slip  into  some  sort  of  Ital¬ 
ian  sports  car,  drive  to  your  office  and  spend  the  rest  of  the  day 
listening  to  cutting-edge  business  ideas  from  today’s  most  bril¬ 
liant  entrepreneurs.  No  firefighting,  no  project  management, 
no  users. 

It  is  no  wonder  that  more  and  more  CIOs  are  telling  me 
they  would  like  their  next  job  to  be  as  a  VC.  However,  if  you’ve 
achieved  success  as  a  CIO,  you  might  possess  exactly  the  wrong 
attributes  for  the  job. 

“CIOs  interested  in  pursuing  a  VC  role  should  do  a  gut  check,” 
says  Solvik,  since  CIOs  are  often  paid  to  be  risk  averse  and  spend 
money  only  on  established  technologies. 

“It  probably  only  makes  sense  if  you  are  more  of  a  futurist  than 
a  mainstream  adopter,”  he  says.  “If  you  have  built  your  career  on 
being  conservative  rather  than  bleeding  edge,  the  VC  role  might 
not  be  the  right  one  for  you.” 

Working  directly  with  venture  capitalists  will  give  you  a  much 
closer  look  at  whether  this  particular  career  path  belongs  in  your 
future  and  the  contacts  to  make  it  happen,  if  you 
decide  that  it  does.  HE] 


Martha  Heller  is  managing  director  of  the  IT  Leader¬ 
ship  Practice  at  ZRG,  an  executive  recruiting  firm 
based  in  Boston.  Reach  her  at  mheller@zrgroup.com. 


Join  the  Conversation 


Respond  to  Martha  Heller’s 
latest  online  column  by  visiting 

www.cio.com/author/41283. 

cio.com 


32  JUNE  15,  2007  |  www.cio.com 


Copyright  ©  2007  Novell,  Inc.  and  Microsoft  Corporation.  All  Rights  Reserved  Novell,  the  Novell  logo  and  SUSE  are  registered  trademarks  of  Novell,  Inc.  in  the  United  States  and  other 
countries.  Linux  is  a  registered  trademark  of  Linus  Torvalds  Microsoft  and  Windows  Server  are  trademarks  of  the  Microsoft  group  of  companies. 


Novell,  Microsoft 


It’s  the  ability  to  have  Microsoft®  Windows  Server®  and  SUSE®  Linux  Enterprise 
Server  from  Novell®  work  together.  And  the  ability  to  integrate  both  more  easily 
than  you  imagined.  It’s  Microsoft  and  Novell  working  together  to  help  you  reduce  cost 
and  complexity  with  new  solutions  for  virtualization,  directory  integration,  systems 
management,  and  office  document  translators — each  with  clearly  defined  intellectual  property  rights. 

So  you  can  increase  performance,  savings  and  simplicity  and  build  your  data  center  without  compromise. 


Download  the  collaboration  roadmap  at  www.moreinterop.com 


COLLABORATION 

ROADMAP 


YOU’RE  SO 


■ 

■ 


AND  THEY 


Cybercrime  Special  Report  |  Risk  Management 


Your  Plan  to  Fight 


Online  crime  is  organized,  its  perpetrators  attack  deliberately,  and 
the  I  i  kel  i  hood  that  they  wi  1 1  attack  your  company— and  even  shut  it 
down— is  growing.  Here’s  howto  mitigate  that  risk. 


Kevin  Dougherty  has  seen  his  share  of  spam  and  phishing  scams, 


r 


L 


Reader  ROI 

::  Ways  cybercriminals 
are  becoming  more 
sophisticated 

::  Steps  companies  can  take 
to  combat  the  threat 

::  How  CIOs  can  gain  top- 
level  business  support  for 
security  investments 


as  has  any  IT  leader  in  the  financial  services  industry.  But  the  sender’s  name  on  this 
particular  e-mail  sent  a  shudder  down  his  spine:  It  was  from  one  of  his  board  members 
at  the  Central  Florida  Educators’  Federal  Credit  Union  (CFEFCU). 

The  e-mail  claimed  in  convincing  detail  that  there  was  a  problem  with  the  migration 
to  a  new  Visa  credit  card  that  the  board  member  was  promoting  to  the  credit  union’s 
customers.  The  fraudulent  message  urged  customers  to  click  on  a  link— to  a  phony 
website  set  up  by  criminals— and  enter  their  account  information  to  fix  the  problem. 

But  what  happened  later  that  Friday  afternoon— after  Dougherty,  who  is  senior  vice 
president  of  IT  and  marketing,  had  wiped  the  credit  card  migration  information  off  the 
website  and  put  up  an  alert  warning  customers  of  the  scam— really  scared  him.  Around 
2  p.m.,  the  site  suddenly  went  dark,  like  someone  had  hit  it  with  a  baseball  bat. 

That’s  when  Dougherty  realized  that  he  was  dealing  with  something  he  hadn’t  seen 
before.  And  he  couldn’t  describe  it  with  conventional  terms  like  phishing  or  spamming. 
This  was  an  organized  criminal  conspiracy  targeting  his  bank.  “This  wasn’t  random,” 
he  says.  “They  saw  what  we  were  doing  with  the  credit  card  and  came  at  us  hard.” 

Dougherty’s  website  lay  in  a  coma  from  a  devastating  distributed  denial-of-service 
(DDoS)  attack  that,  at  its  peak,  shot  more  than  600,000  packets  per  second  of  bogus 


34  JUNE  15,  2007  |  www.cio.com 


PHOTOGRAPHY  BY  PRESTON  MACK 


Cybercrime  Special  Report 


Risk  Management 


WHO  YOU  GONNA  CALL? 

When  cybercriminals  strike,  law  enforcement  agencies  are  often 
overwhelmed.  So  CIOs  are  looking  elsewhere  for  help. 

When  the  website  of  the  Central  Florida  Educators'  Federal  Credit  Union  was 
attacked  by  phishers  last  August,  CIO  and  VP  of  Marketing  Kevin  Dougherty’s  first 
instinct  wasn’t  to  call  the  police.  Though  he  did  eventually  contact  the  FBI,  "unless 
you  can  say  you  were  hit  with  some  very  large  dollar  amounts  I  don’t  think  they  have 
enough  people  to  deal  with  this,”  he  says. 

And  so  CIOs  like  Dougherty  are  assembling  crime-fighting  coalitions  from  among 
consultants,  vendors  and  telecom  providers.  There’s  a  historical  parallel,  says  Peter 
Cassidy,  secretary  general  of  the  Anti-Phishing  Working  Group.  When  banks  opened 
up  150  years  ago,  there  wasn't  an  FBI,  “so  banks  hired  private  law  enforcement  like 
the  Pinkertons,”  he  says.  One  day  there  will  be  routine  cyber-investigations,  “but  for 
now  we  are  still  in  the  Wild  West." 

Law  enforcement  faces  several  challenges.  First  is  the  nature  of  cybercrime:  global 
and  independent  of  geography.  Hackers  in  Russia  can  steal  money  from  a  bank  in 
the  United  States  using  a  computer  in  France  quickly,  cheaply  and  with  no  human 
intervention  required.  And  their  fingerprints— the  IP  addresses  of  the  computers  that 
initiate  the  attacks— can  be  made  to  disappear  before  investigators  can  track  them, 
according  to  Ron  Plesco,  director  of  the  Privacy  and  Special  Projects  Group  for  consul¬ 
tancy  SRA  International.  Internet  service  providers  keep  logs  of  every  connection  but 
can’t  afford  to  hang  on  to  the  piles  of  data  for  more  than  a  few  days  without  overwhelm¬ 
ing  their  storage  systems. 

There’s  also  a  shortage  of  computer  expertise  among  the  FBI  and  Secret  Service, 
which  investigate  cybercrime,  and  the  U.S.  Department  of  Justice,  which  prosecutes 
it.  Given  the  manpower  shortages,  investigators  need  to  limit  themselves  to  cases 
with  big  losses.  Unfortunately,  the  majority  of  cybercrimes  are  committed  by  small 
operators,  says  Uriel  Maimon,  senior  researcher  in  the  Office  of  the  CTO  of  security 
provider  RSA.  “There  aren’t  many  $250,000  frauds,”  he  says,  but  there  are  a  lot  of 
$2,000  cases— a  big-enough  haul  for  a  criminal  in  an  impoverished  country. 

Finally,  there  is  the  complexity  of  fighting  crime  across  different  countries,  many 
of  which  lack  laws  that  specifically  target  cybercriminals.  Experts  speculate  that  we 
could  someday  see  the  rise  of  a  new  global  organization  specifically  targeted  at  cyber¬ 
crime,  much  as  the  FBI  was  created  to  take  on  the  automobile-fueled  rise  of  interstate 
crime  in  the  1920s  and  '30s.  Painter  is  skeptical.  "What  we  need  to  do  is  connect  the 
dots  rather  than  create  a  new  uber-organization,"  he  says.  Painter  chairs  a  G8  commit¬ 
tee  that  has  agreements  with  48  countries,  which  have  identified  cyber-investigators 
whom  they  make  available  to  the  network  24/7,  he  says.  -C.K. 


service  requests  at  his  servers  from  a  coor¬ 
dinated  firing  squad  of  compromised  com¬ 
puters  around  the  globe.  That  the  criminals 
had  the  skill  and  foresight  to  launch  a  two¬ 
pronged  attack  against  Dougherty  and  his 
customers  was  a  clear  indication  of  how  far 
online  crime,  which  is  now  a  $2.8  billion 
business  according  to  research  company 
Gartner,  has  come  in  the  past  few  years. 

Though  this  dark  business  largely  tar¬ 
gets  financial  services  companies,  there  are 
signs  that  criminals  are  beginning  to  covet 
new  victims.  Since  January,  phishers  have 
been  documented  going  after  “many  types 
of  websites  not  typically  targeted,”  such 
as  social  networking  and  gambling  sites, 
according  to  the  Anti-Phishing  Working 
Group,  a  research  group. 

As  cybercrime  enters  this  second  wave, 
criminals  with  no  programming  experience 
can  buy  illegal  packaged  software  to  carry 
out  sophisticated  attacks,  and  information 
security  can  no  longer  be  addressed  merely 
with  a  firewall.  It  has  become  not  just  an  IT 
risk,  but  a  business  risk.  The  threat  extends 
beyond  systems,  affecting  everything  from 
marketing  and  the  customer  relationship 
to  government  compliance,  insurance  costs 
and  legal  liability.  Beyond  IT  and  a  trusted 
cadre  of  security  vendors  and  consultants, 
information  security  requires  understand¬ 
ing,  involvement  and  consensus  from  all 
parts  of  the  business  at  all  levels,  right  up  to 
the  board,  before  problems  occur.  Security 
to  combat  cybercrime  needs  to  be  part  of  a 
company’s  disaster  and  business  continuity 
plans,  with  security  spending  based  on  the 
overall  threat  cybercrime  poses. 

If  security  is  viewed  simply  as  an  IT  cost 
and  responsibility,  companies  will  never  be 
truly  ready  for  the  risks  they  face.  “If  you 
do  have  an  attack,  it’s  never  just  the  data 
that  you  lose  or  the  customers  who  are  vic¬ 
timized,  it’s  [also]  the  larger  effects  that  the 
attack  has  on  everything  else,”  says  Ian  Pat¬ 
terson,  CIO  at  online  brokerage  Scottrade. 
“It’s  the  marketing  effects,  the  customer 
service  effects,  the  business  effects.” 

How  Cybercrime 
Is  Changing 

The  crooks  are  still  after  the  money,  but  they 
are  developing  more  sophisticated  ways  of 
getting  at  it.  They’re  willing  to  hang  around 


longer  and  in  places  where  the  money  isn’t 
immediately  available.  For  example,  the 
breach  disclosed  earlier  this  year  at  retailer 
TJX  unfolded  during  more  than  a  year,  as 
criminals  accessed  the  system  multiple 
times  to  extract  customer  credit  card  num¬ 
bers,  using  technology  that  has,  “to  date, 
made  it  impossible  for  us  to  determine  the 
contents  of  most  of  the  files  we  believe  were 
stolen  in  2006,”  according  to  TJX’s  annual 
report  filed  with  the  Securities  and  Exchange 


Commission.  (For  a  possible  way  the  TJX 
breach  was  accomplished,  see  “Interview 
with  a  Mob  CIO,”  Page  43.)  “The  new  para¬ 
digm  is  to  not  make  big,  noisy  attacks,”  says 
Chris  Painter,  principal  deputy  chief  of  the 
Computer  Crime  and  Intellectual  Property 
Division  at  the  U.S.  Department  of  Justice. 

Phishing  attacks  increasingly  use  subtle 
ways  of  gleaning  information  that  are  not 
apparent  to  even  the  most  educated  com¬ 
puter  users.  As  the  sophistication  of  the 


36  JUNE  15,  2007  |  www.cio.com 


ADVERTISING  SUPPLEMENT 


CK£lO 

Today's  IT  Leaders  on  Market  Trends 


SOAwOPE  RATIONAL 
READINESS 

CIOs  Address  Challenges,  Best  Practices  in  SOA  Deployment 


Making  sure  a  company  is  ready  to 
deploy  service-oriented  architecture 
(SOA)  is  a  complex  task.  And,  accord¬ 
ing  to  a  recent  survey,  CIOs  approach  it  much  as 
they  did  reengineering — as  a  project  that  will  ulti¬ 
mately  effect  technical  change  as  well  as  organiza¬ 
tional  and  process  evolution. 

“Organizational  changes 
are  critical  to  SOA  migration,” 
says  Yves  Meyer,  head  of  the 
project  management  office  and 
architecture  at  IXIS,  a  financial 
services  firm  based  in  Paris.  “It 
causes  changes  to  and  within  the 
organization.” 

The  survey,  conducted  by 
IDG  Research  Services,  asked 
CIOs  at  midsize  and  large  enter¬ 
prises  about  best  practices  surrounding  SOA  deploy¬ 
ments.  In  lengthy  discussions,  the  respondents  cite 
organizational  changes  and  the  need  for  IT  to  obtain 
business  buy-in.  At  the  same  time.  CIOs  expect  to 
see  some  significant  role  changes  within  the  IT 
department.  Here’s  how  they  look  at  it. 

Selling  to  the  Business 

Survey  respondents  note  several  challenges  that 
must  be  addressed  in  order  to  ready  a  company 
for  SOA  deployment.  Specifically,  respondents 
cite  the  difficulty  of  getting  business  units  to  look 
at  enterprise  (rather  than  their  own)  goals.  Among 
the  obstacles: 

Information  ownership.  Both  line-of-business 
and  IT  staffers  can  be  territorial  about  the  infor¬ 
mation  that  drives  business  processes,  and  resolv¬ 
ing  ownership  issues  is  a  politically-charged 


process.  “Within  the  organization,  there’s  going  to 
have  to  be  a  culture  change  to  allow  more  access 
to  individual  departments’  data,”  says  Rick  Allen, 
assistant  vice  president  of  operations  and  service 
line  director  at  Georgia-based  Gwinnett  Health 
Systems.  “You  can’t  have  an  area  like  cardiology  or 
radiology  saying,  “‘This  is 
my  data.  Nobody  else  can 
get  into  it.’” 

Resistance  to  change. 

Mapping  business  processes 
that  work  on  an  enterprise¬ 
wide  level  requires  that  busi¬ 
ness  sponsors  and  CIOs  sign 
off  on  a  common  view. 
However,  getting  users  to 
abandon  function-specific 
biases  remains  a  significant 
issue.  “This  is  a  major  challenge — we  have  25  busi¬ 
ness  units,  and  each  of  them  does  things  differ¬ 
ently,”  says  Meyer.  “Getting  them  to  let  us  take  a 
look  at  how  they  do  things  and  help  them  figure 
out  areas  of  improvement  is  going  to  be  tough.” 
Selling  SOA-related  change  to  the  business. 
Respondents  note  that  education  and  training  are 
vital  to  selling  the  benefits  of  SOA.  “I  think  the 
training  and  understanding  are  key,  and  it’s  a  slow 
process,”  says  the  CIO  of  a  utility. 

SOA  Governance 

SOA  initiatives  require  governance  on  technical 
and  non-technical  levels.  With  SOA,  applications 
are  composed  of  services  built  with  different  tech¬ 
nologies  that  run  on  different  machines.  This 
distribution  and  heterogeneity  make  deployment 
and  management  challenging.  Capabilities  and 


About  CI02CI0 
Perspectives:  This 
peer-based  thought 
leadership  program 
analyzes  quantitative 
research  and  tests  it 
via  qualitative  inter¬ 
views  with  actual 
CIOs.  The  resulting 
executive  insight  is 
then  disseminated 
via  CXO’s  multimedia 
assets.  To  learn  more 
about  CI02CI0 
Perspectives, 
please  contact 
mavery@cxo.com. 


CIO 


■TIBCOr 

The  Power  of  Now* 


C  I  O  2  C I O  OPER A T I O N A  I  R E A D I N ESS  1 


Custom  Solutions  Group 


ADVERTISING  SUPPLEMENT 


functions  such  as  security,  auditing  and  logging, 
maintaining  uptime  and  meeting  service-level 
agreements  are  performed  differently  on  each  plat¬ 
form,  and  are  often  hard-coded.  This  results  in 
more  development  work,  and  it 
also  often  provides  less  control  in 
managing  the  services  as  part  of 
composite  applications,  an 
inability  to  guarantee  levels  of 
security  or  performance,  and 
more  work  whenever  changes 
must  be  implemented  across 
applications. 

CIOs  must  also  devise 
workable  ways  to  ensure  that 
departments  use  processes  and 
services  originating  in  other 
departments.  As  service  use 
becomes  more  intertwined, 
knotty  issues  of  ownership  arise. 

For  example,  CIOs  must 
consider:  Who  owns  each  service?  Who  pays  for 
service  creation  and  maintenance?  Who  has  the 
right  to  change  a  service,  particularly  if  the  change 
affects  other  service  users? 

Companies  approach  technical  and  non¬ 
technical  issues  of  governance  in  different  ways. 
“We  have  an  architecture  group,  which  is  also  the 
governance  group,”  says  Larry  Krieb,  vice  presi¬ 
dent  of  the  IT  global  information  services  group  at 
Estee  Lauder  in  New  York  City.  “Nothing  goes 
into  production  without  code  review  by  the  SOA 
architecture  group.” 

Some  organizations  address  the  situation  by 
forming  an  SOA  Center  of  Excellence,  where 
enterprise-level  architects  with  SOA  expertise 
oversee  service  management  on  an  enterprise-wide 
basis. 

Respondents  also  mention  other  governance 
methods,  such  as  a  program  management  office 
and  a  cross-division  group  to  create  and  manage 
SOA  standards. 

Changing  IT  Roles 

Many  CIOs  say  that  a  key  part  of  being  prepared 
for  SOA  means  rethinking  how  the  IT  group 
develops  applications  or  services.  In  particular,  the 


“Nothing 
goes  into 
production 
without 
code  review 
by  the  SOA 
architecture 
group.” 


role  of  the  IT  architect  has  taken  on  increased 
importance,  with  new  tasks  ranging  from  long¬ 
term  strategy  and  planning  to  SOA  governance. 
“Architects  are  like  a  lynchpin  for  making  every¬ 
thing  happen,”  says  Krieb. 

At  the  same  time,  developer 
roles  change  as  they  acquire  new 
skill  sets  to  reuse  services  that  have 
been  created  across  the  enterprise. 
“Developers  will  now  have  to 
think  enterprise-wide,”  says 
Meyer.  “Individual  requests  will 
have  to  become  enterprise 
requests,  so  to  speak,  so  that  the 
capability  can  be  reused  across  the 
organization  and  shared  by  other 
groups.  This  is  a  big  shift.” 


LARRY  KRIEB 
VP,  ESTEE  LAUDER 


Measuring  SOA  Success 

Many  respondents  are  in  relatively 
early  pilot  stages  of  SOA  and 
hence  speak  about  projected  measurements  rather 
than  actual  practices.  But  CIOs  commonly  note 
that  they  expect  SOA  to  help  them  do  things 
faster,  both  in  terms  of  business  and 
IT  development,  and  that  metrics  will 
reflect  that  promise. 

“We  will  probably  develop  some 
ratios  between  the  volumes  of  activity 
performed  and  the  staff  that  is 
required  to  handle  the  work,”  says 
Meyer.  “Those  are  two  numbers  that 
would  be  easy  for  us  to  get.” 

Other  respondents  cite  as 
projected  metrics  the  ability  to  get 
information  that  was  previously 
unobtainable,  increased  efficiency 
and  budget  and  SLA  adherence. 

Preparing  a  company  for  SOA 
deployment  consists  of  far  more  than 
technology  implementation.  CIOs 
say  that  addressing  process  change 
and  managing  expectations  on  the 
business  side  are  critical  to  ultimate 


Go  to  www.cio.com/ 
whitepapers/readiness  now 

to  obtain  a  free  down¬ 
load  of“Executives  Warn: 
SOA  Demands  More 
Than  Just  Technical 
Change".  Based  on  a 
major  research  survey  by 
IDG  Research  Services 
featuring  in-depth 
discussions  with  CIOs  at 
midsize  and  enterprise 
class  organizations,  this 
just-released  white  paper 
will  help  CIOs  analyze 
their  SOA  model  in 
accordance  with  the 
challenges  and  best 
practices  reported  in  the 
paper.  By  doing  so,  they 
will  have  a  powerful  tool 
to  create  and  manage 
enterprise  wide  SOA 
frameworks. 


SOA  success,  and  many  have  turned  to  outside 
consultative  help  to  address  this  complex  organiza¬ 
tional  challenge.  ■ 


Custom  Solutions  Group 


IK  T I  BCO‘ 

The  Power  of  Now* 


C  I  O  2  C  1  O  OPERATIONAI  READINESS  2 


attacks  continues  to  improve,  the  percent¬ 
age  of  consumers  who  click  where  they 
shouldn’t  has  risen  from  18.6  percent  in  2004 
to  24.9  percent  last  year,  according  to  Gart¬ 
ner.  Online  crime  “will  spread  from  finan¬ 
cial  services  as  the  use  of  indirect  attacking 
grows,”  says  Markus  Jakobsson,  a  security 
consultant  and  associate  professor  of  infor¬ 
matics  at  Indiana  University.  “For  example, 
perhaps  you  go  to  a  funny  cartoon  website 
where  it  asks  for  information  that  mimics 
what’s  needed  to  impersonate  you  on  eBay.” 

That  threat  is  mounting  every  day.  The 
number  of  people  who  believe  or  know 
they  received  phishing  attacks  doubled 
between  2004  and  2006,  from  57  mil¬ 
lion  to  109  million,  according  to  Gartner. 
Although  fewer  victims  are  losing  money, 
the  losses  per  victim  have  more  than  qua¬ 
drupled  since  2005  and  the  percentage  of 
that  money  recovered  has  dropped  from 
80  percent  in  2005  to  54  percent  in  2006. 
Even  if  victims  don’t  lose  money,  there  is  a 
cost.  The  Federal  Trade  Commission  esti¬ 
mates  that  it  takes  consumers  an  average  of 
30  to  60  hours  to  clean  up  a  credit  history 
damaged  by  identity  theft. 

For  businesses,  the  unseen  costs  are 
even  higher.  For  56  organizations  studied 
by  the  Ponemon  Institute  that  experienced 
the  loss  or  theft  of  customers’  personal 
data,  the  loss  of  business  resulting  from 
the  breach  eclipsed  by  nearly  $400,000 
the  combined  cost  of  detecting  an  attack, 
notifying  customers  and  helping  them 
work  through  any  resulting  problems  (on 
average,  $128  per  compromised  record  and 
$2.6  million  in  total). 

Meanwhile,  the  administrative  savings 
that  make  the  online  channel  so  attractive  for 
businesses  are  being  eaten  up  by  consumer 
fear  and  avoidance.  A  recent  Gartner  sur¬ 
vey  found  that  23  percent  of  online  banking 
consumers  have  fled  the  channel  because  of 
security  concerns.  Nearly  24  million  people 
won’t  even  consider  online  banking  because 
of  them.  “That  means  you  have  people  doing 
transactions  at  the  bank  that  cost  $15  each 
when  they  could  be  doing  it  online  for  pen¬ 
nies,”  says  Tim  Renshaw,  vice  president  of 
product  solutions  for  TriCipher,  a  security 
software  company.  In  addition,  plummeting 
trust  in  e-mail  has  made  it  a  dicey  customer 
communications  vehicle.  More  than  85  per¬ 


cent  of  respondents  to  the  Gartner  survey 
said  they  delete  suspect  e-mail  without  open¬ 
ing  it.  Dougherty  says  CFEFCU  has  aban¬ 
doned  e-mail  altogether.  “We  have  had  to  go 
back  to  snail  mail,”  he  says,  noting  that  it’s 
about  90  percent  more  expensive  and  much 
slower  and  less  flexible  than  e-mail. 

What  Happens  When 
You're  Unprepared 

Dougherty  faced  these  broad  risks  on  that 
awful  Friday  afternoon  last  August,  when  a 
criminal  website  intent  on  stealing  the  iden¬ 
tities  of  Dougherty ’s  members  was  his  only 
operating  face  to  the  world  on  the  Web. 

Obviously,  the  first  thing  Dougherty 
had  to  do  was  stop  the  attack.  He  had  to 
hurriedly  assemble  a  coalition  of  vendors 


and  consultants  to  help  him,  and  then  he 
had  to  convince  his  CEO  that  drastic  steps 
were  needed— steps  that  would  temporar¬ 
ily  cut  off  customers  from  any  possibility 
of  getting  to  their  accounts  online  until  the 
problems  were  completely  eradicated.  (To 
find  out  why  companies  rely  more  on  ven¬ 
dors  than  on  law  enforcement  for  help,  see 
“Who  You  Gonna  Call?”  Page  36.) 

Dougherty  wanted  to  have  the  site  tempo¬ 
rarily  blacklisted  with  his  telecom  provider, 
BellSouth,  to  deflect  the  attack,  thereby 
reducing  pressure  on  the  site  and  giving 
him  the  time  and  flexibility  to  make  pro¬ 
tective  changes.  But  his  CEO  resisted— as 
might  anyone  who  has  not  experienced  an 
attack.  “He  wanted  to  keep  it  up  so  we  could 
service  the  members,”  says  Dougherty. 


www.cio.com  |  JUNE  15,  2007  37 


Cybercrime  Special  Report  |  Risk  Management 


At  11  p.m.,  after  a  long  night  of  battling  the 
attackers  and  plotting  strategy,  Dougherty 
finally  convinced  his  CEO  to  have  the  site 
blacklisted  and  to  take  a  break  until  morn¬ 
ing.  Continuing  in  a  tired  and  emotional 
state  would  have  played  into  the  attackers’ 
hands.  “It’s  a  mind  game,”  says  Dougherty. 

By  Saturday  morning,  Dougherty  had 
RSA,  a  security  vendor  he  called  in 
when  the  attacks  began,  working 
to  set  up  a  “take-down”  service  that 
seeks  out  and  dispatches  criminal 
websites  (in  this  case,  more  than 
30)  with  its  own  cyber  baseball  bat. 
Meanwhile,  BellSouth  began  beefing 
up  security  around  the  credit  union 
site  to  try  to  thwart  attacks.  Dough¬ 
erty  also  began  planning  with  RSA 
to  build  multifactor  authentication 
into  the  website.  As  these  solutions 
emerged,  the  CEO  became  comfort¬ 
able  with  Dougherty’s  blacklist¬ 
ing  decision.  “We  built  heightened 
awareness  with  the  board  and  the 
executive  management  team,”  says 
Dougherty.  The  site  was  back  up  by 
Saturday  evening.  In  the  end,  22  cus¬ 
tomers  gave  up  their  information  to 
the  thieves  and  the  total  losses  were 
“less  than  five  figures,”  says  Dough¬ 
erty.  (To  learn  why  it’s  hard  to  prevent  cus¬ 
tomers  from  falling  for  phishing  scams,  see 
“Stop  Them  Before  They  Click  Again,”  Page 
40.)  Though  the  credit  union  had  averted 
disaster,  “it  was  a  rude  awakening,”  he  says. 

Firewalls  Aren't  Enough 

Dougherty  also  woke  up  to  the  fact  that 
he  needed  to  communicate  more  with  his 
executives  and  the  board  about  IT  secu¬ 
rity  and  its  link  with  the  bank’s  risk  and 
security  strategies.  Now  he  scans  banking 
conference  agendas  for  security  content 
and  encourages  his  executives  and  board 
members  to  attend.  Sometimes  he  accom¬ 
panies  them.  “I  was  with  our  chairman 
at  a  conference  and  there  was  a  security 
presentation  and  so  I  said,  Why  don’t  you 


How  Cybercrime  Evolved 


For  A  BRIEF  HISTORY  OF  MALWARE  AND 
CYBERCRIME,  go  to  www.cio.com/ 
article/116250. 


come  down  and  we’ll  go  to  this  together? 
Then,  when  he  had  questions,  I  was  there 
to  answer  them.  Sometimes  the  technology 
scares  them  and  you  have  to  get  them  com¬ 
fortable  with  it.” 

Every  month,  Dougherty  also  sends 
three  or  four  security  articles  to  executives 
and  the  board  that  he  encourages  them  to 


“We  lost  some  of  our 
branches  in  Hurricane 
Katrina.  If  you  have  a 
DDoS,  you  have  to  do 
some  of  the  same  things 
to  respond.  You  have 
to  reroute  people  and 
phones  and  make  sure 
the  communications 
about  the  situation  are 
clear  and  concise.” 

-Ian  Patterson,  CIO,  Scottrade 


cio.com 


read.  He  has  subscribed  to  a  fraud  intelli¬ 
gence  information  service  from  RSA  that 
gives  updates  on  the  latest  threats  and  sug¬ 
gested  responses,  and  he  passes  that  infor¬ 
mation  along  too.  “It’s  vital  to  have  data  to 
relay  to  my  management  team,”  he  says. 

Dougherty  is  also  in  charge  of  all  train¬ 
ing  for  employees  and  has  broadened  that 
educational  effort  to  include  security.  He 
now  demands  that  at  least  one  security 
article  go  in  each  edition  of  the  bank’s  quar¬ 
terly  newsletter. 

He  doesn’t  think  he  has  a  choice  because 
the  auditors  have  become  tougher.  In  the 
wake  of  the  attack,  the  bank  strengthened 
its  audits  that  tested  for  vulnerabilities, 
both  online  and  off.  One  of  those  tests 
inside  branches  found  that  crooks  didn’t 
need  the  Internet  to  gain  access  to  data. 
“We  had  guys  sling  monitors  over  their 
backs  and  tell  the  tellers  they  needed  to  fix 
the  computers.  They  got  past  our  tellers  in 
three  branches,”  Dougherty  sighs.  “But  I 
would  rather  have  the  auditors  find  these 


things  than  someone  else.” 

With  so  much  at  stake,  however,  CIOs 
have  to  move  beyond  such  traditional 
defensive  strategies.  They  need  a  protec¬ 
tion  strategy  for  the  data  too.  The  threat  of 
security  breaches  by  rogue  employees  or 
contractors  has  always  been  higher  than 
the  threat  from  criminals  outside.  But  now 
the  outsider  threat  is  increased  due  to 
the  greater  portability  of  data  via  mobile 
devices,  says  Joe  Nackashi,  CTO  of  Fidel¬ 
ity  Information  Services,  which  hosts  data 
not  just  for  Fidelity  but  for  other  financial 
services  companies  as  well. 

In  2004,  Fidelity  began  encrypting  all 
of  its  financial  data,  not  just  on  its  internal 
systems,  but  on  any  device  that  enters  or 
exits  the  data  center,  including  laptops, 
thumb  drives  and  magnetic  tapes  for 
mainframes.  This  way,  “even  if  you  lose 
the  data,  it  will  be  scrambled  when  some¬ 
one  tries  to  recover  it,”  says  Nackashi. 

But  encryption  is  expensive  (because 
of  the  effort  involved  to  dress  data  in  extra 
scrambling  code)  and  complex,  requiring 
processes  for  deciding  what  to  encrypt 
when,  where,  why  and  by  whom.  Further¬ 
more,  encryption  is  only  as  strong  as  its 
weakest  link.  If  business  partners  and  con¬ 
tractors  don’t  follow  the  same  processes  and 
use  the  same  encryption  methods,  all  that 
scrambling  is  for  naught.  These  difficulties 
probably  account  for  why  only  16  percent 
of  organizations  surveyed  by  the  Ponemon 
Institute  said  they  had  an  enterprisewide 
encryption  strategy. 

Yet  more  companies,  including  those 
outside  of  financial  services,  will  need  to 
consider  encryption  for  their  most  sensi¬ 
tive  data.  The  growth  in  mobile  devices  and 
the  ability  of  employees  to  install  and  run 
their  own  software  gives  data  legs  to  run 
around  the  firewall— what  Nackashi  calls 
“data  in  flight.” 

Though  Nackashi  won’t  say  how  much 
Fidelity  spends  on  its  encryption  effort,  it 
is  evident  in  the  amount  of  management 
time  he  has  devoted  to  it.  “Two  years  ago, 
it  probably  consumed  100  percent  of  my 
time  because  we  were  planning  the  strat¬ 
egy,”  he  says.  “Today  we’re  in  implemen¬ 
tation  mode,  so  it  is  probably  30  percent.” 
This  despite  the  fact  that  Fidelity  has  a 
full-time  chief  information  security  officer 


38  JUNE  15,  2007  |  www.cio.com 


»  SESSION  2 


Virtual  Academy  of  Technology 

Continuing  Education  for  Small  and  Medium  Businesses 


www.virtualacademy-cio.com 


It’s  a  world  of  opportunity,  if  you  are 
ready— and  able.  Through  ups  and 
through  downs,  the  key  to  survival  and 
success  is  to  maintain  and  sharpen  your 
competitive  edge.  SMBs  have  a  particu¬ 
larly  daunting  challenge  because  they 
must  be  able  to  compete  with  industry 
giants  as  well  as  small  upstarts. 

Competitive 

That  means  making  smart  technology 
investment  choices  that  position  you  to 
succeed  and  grow,  while  keeping  costs 
in  check. 


The  Virtual  Academy  of  Technology  is 
your  online  resource  to  help  you  make 
choices  that  will  get  you  competitive 
and  keep  you  competitive— with  the  lat¬ 
est  information  from  industry  experts  as 
well  as  new  ideas  from  your  peers. 


THE  VIRTUAL  ACADEMY  OF 
TECHNOLOGY  INCLUDES: 

»  Topic-focused  websites 
»  Exclusive  white  papers 
»  Focused  and  relevant  videos 
»  Real-world  case  studies 
»  Carefully  crafted  tutorials 
»  Interactive  webcasts 


CIO 


Custom  Solutions  Group 


sponsored  by: 


*  * 


# 


/ 


H 


HONE  YOUR  ORGANIZATION’S 

COMPETITIVE  EDGE-BY  FIRST  SHARPENING 

YOUR  COMPETITIVE  THINKING 

The  Virtual  Academy  of  Technology  is  a  chance  to 
refresh  and  update  your  thinking  through  a  conven¬ 
ient  set  of  linked  educational  resources.  The 
Competitive  Edge  focus  of  Semester  Two  at  the 
Virtual  Academy  of  Technology  follows  up  on  the 
Semester  One  look  at  Total  Cost  of  Ownership  (TCO). 
And  if  you  want  to  participate  in  Semester  Two  but 
are  concerned  about  having  missed  Semester  One, 
don’t  worry — most  program  elements  are  still  avail¬ 
able  for  you  to  use. 

FREE  TICKET  TO 
Oracle  OpenWorld  2007 

There  are  even  special  incentives  for  participants  who 
successfully  satisfy  the  requirements  of  each  semes¬ 
ter,  including  an  exclusive  IDC  Workbook  with  facts 
and  exercises  to  help  you  understand  more  about 
decision-making  relative  to  business  applications  and 
technology  investments  for  small  and  medium  busi¬ 
nesses,  as  well  as  a  chance  to  win  a  free  ticket  to 
Oracle  OpenWorld,  November  11-15,  2007  at  the 
Moscone  Center  in  San  Francisco. 

To  learn  more  about  the  Virtual  Academy  of 
Technology,  visit:  www.virtualacademy-cio.com. 


Cybercrime  Special  Report  |  Risk  Management 


STOP  THEM  BEFORE  THEY 
CLICK  AGAIN 

Educating  users  won't  prevent  them  from  giving  up  info 
to  fraudsters.  Take  them  out  of  the  loop. 

You  may  need  to  wait  a  minute  for  another  sucker  to  be  born,  but  you  can  find 
one  anytime  you  want  online. 

In  a  recent  MIT- Harvard  study  to  determine  online  gullibility,  36  percent  of  test 
subjects  logged  in  to  their  online  bank  accounts  despite  being  presented  with  a 
strong  warning  page  saying  that  their  bank  site's  security  certificate  was  not  valid. 
Not  one  person  noticed  when  HTTPS,  the  secure  form  of  HTTP,  was  stripped  away— 
they  offered  up  their  passwords  anyway. 

Although  our  instincts  tell  us  that  better  education  might  have  saved  these  users 
from  themselves,  there  is  a  growing  consensus  among  researchers  that  education 
will  never  stop  many  people  from  clicking  when  they  shouldn’t.  The  problem,  says 
Markus  Jakobsson,  a  security  consultant  and  associate  professor  of  informatics  at 
Indiana  University,  is  one  of  focus.  “When  people  go  online,  they  are  focused  on  other 
things  besides  security,”  he  says.  "They  want  to  pay  their  bills  online  or  talk  to  their 
friends.  People  don’t  pay  attention  to  security  clues  online.”  Even  when,  as  in  the 
MIT-Harvard  study,  they  are  reminded  to  pay  attention  to  warnings. 

Meanwhile,  the  kind  of  information  that  lulls  victims  into  a  false  sense  of  security 
is  still  widely  available  online.  In  a  2005  study,  Jakobsson  was  easily  able  to  find  the 
Social  Security  numbers  and  mothers’  maiden  names  of  millions  of  Texans  online. 
“When  the  e-mail  comes  with  your  mother’s  maiden  name  already  in  there,  it's  a  lot 
easier  to  click,”  he  says. 

So  what  to  do?  Some  suggest  issuing  new  passwords  through  small  electronic 
fobs  called  tokens  each  time  someone  logs  in  to  a  site,  or  requiring  account  holders 
to  verify  withdrawals  via  a  cell  phone  call.  But  both  solutions  are  costly,  complex  and 
potentially  inconvenient  to  customers.  The  best  answer  may  be  to  relieve  home  com¬ 
puter  users  of  responsibility  for  computer  security. 

Already,  some  ISPs  are  bffering  security  software  as  part  of  their  subscription  pric¬ 
ing,  judging  that  the  extra  cost  is  more  than  balanced  out  by  reducing  the  risks  they 
face  from  the  pipe-clogging  spam  and  malware.  With  2.4  million  unsecured  broadband 
connections  in  the  United  States  today,  according  to  Consumer  Reports,  it  may  be 
time  for  the  IT  industry  to  face  that  consumers  will  never  close  the  security  gap  by 
themselves.  To  the  extent  that  end-user  companies  could  be  I iable  for  their  customers’ 
inaction,  they  need  to  weigh  the  risk  of  leaving  the  responsibility  for  managing  security 
in  the  hands  of  customers  who  may  never  do  it  adequately.  -C.K. 


who  is  Nackashi’s  peer.  Overall,  Fidelity’s 
security  staff  has  grown  30  percent  over 
the  past  two  years,  he  estimates.  “This  isn’t 
something  you  can  compromise  on  from 
our  perspective,”  he  says.  “The  nature  of 
the  business  we  operate  in  leaves  us  no 
luxury  to  play  fast  follower.” 

Get  C-Level  Buy-In 

Such  dramatic  increases  in  security  staff¬ 
ing  and  spending  are  a  barometer  of 
cybercrime’s  evolution  from  IT  nuisance 
to  business  risk.  Scottrade’s  Patterson  has 
quadrupled  his  security  staff  from  two  to 
eight  since  2004,  and  he  estimates  it  will 
more  than  double  next  year. 

Anyone  who  resists  this  growth  in 
security  spending  needs  to  consider  the 
bigger  picture,  says  Patterson.  “What  if  a 
breach  among  a  small  number  of  custom¬ 
ers  caused  us  to  lose  170,000  or  300,000 
customers  overall,  what  would  be  the  busi¬ 
ness  ramifications  of  that?  Everyone  has  to 
be  in  agreement  that  whatever  that  number 
is,  you  build  your  ROI  from  that.” 

As  a  way  to  give  information  security  the 
billing  it  deserves,  Patterson  has  pushed 
Scottrade  to  link  it  with  the  company’s 
disaster  recovery  and  business  continuity 
strategies.  “We  lost  some  of  our  branches  in 
[Hurricane]  Katrina,”  says  Patterson.  “If  you 
have  a  DDoS  attack  you  have  to  do  some  of 
the  same  things.  You  have  to  reroute  people 
and  phones  and  make  sure  the  communica¬ 
tions  about  the  situation  are  clear  and  con¬ 
cise.”  Meanwhile,  at  CFEFCU,  Dougherty 
has  consultants  to  do  a  data  breach  business 
impact  analysis  that  links  to  the  organiza¬ 
tion’s  disaster  recovery  strategies. 

But  CIOs  can’t  be  left  as  the  sole  advo¬ 
cates  of  a  broader  risk  strategy,  or  it  will 
never  happen.  Executive  committees  and 
boards  have  to  be  involved  in  the  decision 
making.  “I  put  up  a  picture  of  the  Kremlin 
when  I  present  to  the  executive  committee. 
Whatever  it  takes,”  laughs  Scottrade’s  Pat¬ 
terson.  The  picture  is  a  reference  to  Russia 
as  a  hotbed  of  cybercrime.  “The  business 
has  to  be  just  as  aware  of  this  as  I  am.” 

One  way  he  builds  awareness  is  to  present 
a  set  of  security  key  performance  indicators 
to  his  executive  committee  every  month. 
For  example,  he  gives  an  overall  report  on 
internal  and  external  vulnerabilities  by 


tracking  intrusion  alerts  and  monitoring 
the  security  patching  efforts,  broken  down 
by  data  center  and  hardware  at  Scottrade’s 
corporate  facilities  as  well  as  at  its  branches. 
Eighteen  months  ago,  he  says,  “we  were  not 
tracking  this  information.” 

Dougherty’s  CEO  and  board  now  also  are 
vested  in  security  as  a  critical  business  metric. 
Perhaps  the  best  evidence  of  this  was  when  his 
site  was  attacked  again  later  in  the  summer. 


The  attack  was  neutralized  within  a  few  hours, 
says  Dougherty,  because  of  the  new  strategies 
he  had  in  place,  but  also  because  there  was 
no  need  to  argue  any  of  them  with  the  CEO 
or  the  board.  “They  just  need  to  understand 
what’s  going  on,”  he  says.  “They  need  to 
know  that  responses  are  being  made.”  QQ 


To  comment  on  this  story,  go  to  the  online  ver¬ 
sion  at  www.cio.com/article/117201. 


40  JUNE  15,  2007  |  www.cio.com 


■,  , 


LURKING  IN  THE  EMPTINESS  THAT  MAKES  UP  70%  OF  YOUR  SERVER  STACKS. 


Discover  SUSE®  Linux  Enterprise  Server  10  from  Novell®.  Infrastructure  for  innovation!” 

It’s  the  infrastructure  you  need  to  harness  the  innovation  you’re  losing  managing  server  sprawl.  With  built-in 
virtualization,  advanced  clustering  capabilities  and  more  enterprise  applications,  all  fully  secure  and  fully 
supported,  SUSE  Linux  Enterprise  Server  10  makes  consolidating  servers  easy  and  affordable.  So  you  can 
fill  fewer  servers  with  more  performance.  Just  one  more  piece  of  the  Open  Enterprise:  all  the  infrastructure 
it  takes  to  innovate. 


Innovate  today  at  www.novell.com/linux 


Novell. 

This  Is  Your  Open  Enterprise." 


Copyright  ©2006  Novell,  Inc.  All  rights  reserved.  Novell,  the  Novell  logo,  and  SUSE  are  registered  trademarks  and  This  Is  Your  Open  Enterprise  and  Infrastructure  (or  innovation  are  trademarks  ol  Novell. 
Inc.  in  the  United  States  and  other  countries.  'Linux  is  a  registered  trademark  of  Linus  Torvalds.  All  third-party  trademarks  are  the  property  of  their  respective  owners. 


am  m 


Introducing 

CIO  Mobile  Alerts 


Breaking  Tech  Information, 
When  You  Need  It  Fast 


TECH  BUSINESS  NEWS 


SECURITY  &  COMPLIANCE 


SERVERS  &  DATA  CENTER 
MANAGEMENT 


STORAGE  &  BUSINESS 
CONTINUITY 


MOBILITY  &  UNIFIED 
COMMUNICATIONS 


l  ,,  ■  ';X  * " 
-  Mr 

*  rj. 


)  wM. f  {*'§/.■ 


?y,  ;■ v  ■  v  •  ■ 

-A  :  . . ^  yv  ,  , 

■'jsj*  v *  .•  iV'y*  ?! v ,  ...  •  ..  |4i  .  •  •* 

Keeping  up-to-date  with  the  technology  market  has  never  been  easier.  When  breaking  news  occurs,  CIO 
sends  a  SMS  message  direct  to  your  mobile  phone.  The  text  message  is  the  headline,  with  the  ability 
to  read  the  entire  story  or  listen  as  a  mobile  podcast.  Alerts  are  sent  only  when  breaking  news  occurs. 
Information  when  you  need  it,  wherever  you  are. 


Sign-up  and  begin  receiving  Mobile  Alerts  today:  www.cio.com/alerts 


5  -  f  i’J 

Sponsored  by:/  ' 


Note:  Subject  to ; 


IT  Scams 


AN*- 


em/ar 


i  i 


The  facts,  the  scams,  are  real.  The  CIO?  Not  so  much.  But  here’s 
how  organized  crime  uses  technology  to  make  money. 


AS  TOLD  TO  SCOTT  BERINATO 


People  call  me 


r 

L 


How  organized 
cybercrime  operates 

How  the  Internet 
makes  crime  easier 
and  more  profitable 

Image  spam  and 
other  new  criminal 
technologies 


a  lot  of  things.  Nobody  would  ever  call  me  a  CIO, 

but  after  reading  CIO  magazine  a  little  bit,  I  guess  that’s  basically  what  I  am.  Maybe 
I’m  a  little  younger  than  you.  A  little  more  techy.  I  know  my  routers  and  code. 

Most  of  the  guys  I  work  with,  they  don’t  like  computers.  They  get  frustrated.  Lots 
of  times  they  want  to  shoot  their  computers,  like  that  guy  in  Colorado  did.  I  printed 
out  that  story  and  gave  it  to  one  of  my  guys.  He  loved  it,  especially  the  part  where 
the  guy  hung  the  dead  computer  on  the  wall  of  his  bar.  “I  love  this  Colorado  guy,” 
he  said.  And  he  passed  it  around  to  all  the  guys.  “You  have  to  read  this  story  MIT 
gave  me.”  Yeah,  they  call  me  MIT,  like,  “Let’s  ask  MIT  if  we  can  set  up  an  online 
account”  or  “Maybe  MIT  can  make  a  website  for  that.”  A  website  for  what?  For 
making  money,  what  else?  Isn’t  that  why  anyone  sets  up  a  website? 

Yeah,  I  deal  with  the  same  stuff  you  do.  Same  headaches.  I’m  constantly  fixing 
stuff  and  trying  to  do  whatever  helps  the  bosses  grow  the  business,  as  you  call  it. 
Bosses.  I  mean,  bosses  are  the  worst,  right? 

Th  2  Penny  Stock  Scam 

We’re  in  a  real  boom  right  now.  Credit  cards.  Gambling.  You  heard  about  that 
stock  deal?  The  one  that  uses  that  new  kind  of  spam?  Image  spam?  This  is  an  old- 


PHOTO  BY  SIlOBO  MiTlC 


www.cio.com  |  JUNE  15,  2007  43 


Cybercrime  Special  Report  |  IT  Scams 

fashioned  pump-and-dump  scam  but  with 
a  cool  techno  twist. 

This  wasn’t  mine,  but  I  know  a  guy  who 
knows  the  guy  who  set  it  up. 

Here’s  how  he  worked  it. 

First,  he  rented  a  botnet. 

That  was  for  e-mail  distribu¬ 
tion.  He  pays,  I  don’t  know, 
say  $50Gs  for  a  month, 
turns  around  and  promises 
the  bot-herder  a  taste  in 
exchange  for  that  month’s 
usage  and  some  guaranteed 
uptime.  You  know,  he  says, 
deliver  me  10  million  e-mail 
messages  and  I’ll  guarantee 
you  some  back-end  cash. 

So  the  bot-herder  knows 
a  kid  who  wrote  this  abso¬ 
lutely  killer  image  spam 
application  that  creates  the 
e-mail  messages.  Pays  him  a 
flat  fee.  I  mean,  the  kid  could’ve  asked  for 
a  lot  more,  but  a  lot  of  these  programmers 
are  pretty  young  and  dumb.  You  wave  some 
cash  and  they  think,  “Flat-screen  TV!”  Any¬ 
way,  he  tells  the  kid  to  make  the  program 
create  advertisements  for  pink-slip  stocks, 
those  unlisted  ones  that  trade  for  pennies.  It 
all  gets  done  in  like  15  minutes  after  they  get 
some  of  the  basic  wording  down. 

So  then  this  guy  sets  up  offshore 
accounts  online  (in  Brazil,  I  think)  to  col¬ 
lect  the  investments.  His  guys  all  buy 
something  like  10,000  shares  at  30  cents 
per.  Then  the  botnet  goes  to  work.  Starts 
mass  mailing  the  ads  for  the  stocks.  And 
the  beauty  part  is  those  little  messages  get 
by  all  the  spam  filters  because  the  filters 
are  looking  for  text,  but  with  the  image 
spam  all  the  filters  see  is  a  million  different 
images,  each  one  unique,  even  though  they 
all  say  the  same  thing:  Buy  this  stock.  (For 
more  on  image  spam,  go  to  www.csoonline 
.com/read/040107/fea_spam.html.)  Genius. 
Finally,  enough  people  invest  to  drive  up 
the  price.  Eighty  cents  a  share.  A  buck. 
Two.  Eventually,  our  guys  sell,  make  a  nice 
chunk  of  change,  the  stock  tanks  and  the 
suckers  who  got  in  on  the  e-mail  tip  lose 
their  shirts. 

Like  I  said,  a  classic  pump-and-dump, 
but  back  in  the  day  it  was  a  lot  harder  to  do. 
It  required  a  lot  of  legwork,  relationships 


I  know  what  you’re  thinking:  Who 
believes  an  anonymous 
e-mail  that  says  such-and- 
such  company  you’ve  never 
heard  of  is  at  a  quarter  a 
share  now  but  is  heading 
to  five  bucks?  Hey,  I  don’t 
know,  but  you  send  out 
10  million  messages,  you 
get  1,000  to  invest,  that’s 
only,  what?  A  hundredth 
of  a  percent?  I’d  say  the 
sucker  population  is  a  lot 
bigger  than  that. 

It  was  a  great  little  busi¬ 
ness.  One  of  those  stocks 
hit  six  bucks!  But  then  the 
feds  sniffed  it  out  and  sus¬ 
pended  trading  on  those 
penny  stocks  in  March. 
Maybe  when  things  cool  off,  it’ll  pick  up 
again.  By  that  time,  the  spam  filters  will 
probably  have  adjusted  and  we’ll  have  to 
go  back  to  the  programmers  for  their  lat¬ 
est  bots. 

Everyone  Wants  ID. . . 
Just  Not  Their  Own 

The  big  money  is  in  credentials. 

Look,  the  world  runs  on  credit,  and  what 
you  need  to  get  credit  are  personal  creden¬ 
tials.  That’s  what  everyone  is  after  right 
now.  And  that’s  where  a  lot  of  our  invest¬ 
ments  are:  credentials  for  lines  of  credit. 

That  TJX  thing  last  January?  No,  not  me. 
But  let’s  say  I  had  beers  with  someone  who 
might  have  worked  on  that  job.  It  sounds 
like  the  heist  of  the  century,  right?  What, 
40  million  personal  records?  But  really  it’s 
pretty  basic  stuff.  If  you  want  to  get  into  the 
credentials  market,  you  do  three  things: 
One,  get  inside  access  to  someone  who 
stores  lots  of  personal  data.  Retail  is  great 
for  that.  Think  about  how  many  cards  are 
swiped  every  second  at  those  places.  Two, 


How  to  Protect  Yourself 


Don’t  want  to  be  victimized  by  our  Mob  CIO? 
Here  are  eight  questions  to  ask  yourself  when 
assessing  your  security  vulnerabilities,  at 

www.cio. com/article/109958. 

cio.com 


The  world 
runs on 
credit  and 
what  you 
need to get 
credit  are 
personal 
credentials. 
That’s  what 
everyone  is 
after  right 
now. 


invest  in  antiforensics,  because  once  you’re 
in,  you  want  to  stay  invisible  until  you’re 
done.  (For  more  on  antiforensics,  go  to  www 
.cio.com/article/114SSO.)  Three,  after  you 
got  the  credentials,  behave.  I’ll  explain  that 
one  in  a  minute. 

The  papers  say  the  wiseguys  got  into 
TJX,  they  got  employee  IDs,  by  intercept¬ 
ing  wireless  data  flowing  between  cash 
registers,  handheld  price-checking  devices 
and  such.  Maybe.  But  this  is  how  I’d  do  it. 

Inside  access.  That’s  easy.  You  spread 
some  USB  keys  around.  People  see  them 
and  go,  Cool,  free  dongle!  Only  when  they 
plug  them  in,  a  little  program  installs  some 
bots  or  keyloggers  onto  their  machine. 
From  there,  you  root  around  until  you 
get  deeper  into  the  network.  (There  are 
other  ways  too.  Dumpster  diving  for  paper 
records  and  credit  card  statements.  Paying 
off  the  custodial  staff.  This  stuff  is  as  old  as 
time;  computers  just  make  it  easier.) 

After  gaining  access,  it’s  time  to  invest 
in  antiforensics.  Look,  I  don’t  care  if  they 
can  see  what  I  did  as  long  as  they  can’t  see 
it  was  me  that  done  it.  We  have  this  saying 
here  about  antiforensics:  Make  it  hard  for 
them  to  find  you  and  impossible  for  them 
to  prove  they  found  you.  We’ve  got  a  whole 
bunch  of  software  that  allows  us  to  cover 
our  tracks  and  keep  us  basically  invis¬ 
ible  while  we’re  inside  someone’s  system. 
What’s  great  is  a  lot  of  antiforensic  tools  are 
free.  They’re  all  over  the  Internet.  We  buy 
others,  like  encryption  programs  and  data 
wipers  like  Evidence  Eliminator.  This  guy 
I  had  beers  with  says  a  few  guys  are  even 
experimenting  with  ways  to  make  other 
guys  look  guilty.  You  know,  set  someone 
up,  send  the  cops  down  the  wrong  path. 

At  that  point,  you  install  a  little  program 
that  collects  the  credentials.  Sometimes 
we  use  ’em;  most  of  the  time  we  sell  ’em. 
We’ve  been  working  on  a  subscription  ser¬ 
vice.  You  pay  for  access  to  credentials  for  a 
certain  period  of  time.  We  can  get  $1,000 
a  month  or  more  for  a  subscription  pretty 
easy.  That  adds  up. 

But  what  we’ve  run  into— a  big  prob¬ 
lem— is  that  lots  of  guys  get  their  hands 
on  this  information  and  just  start  buying 
stupid  stuff.  They  have  no  discipline.  Look 
at  TJX.  Those  guys  got  busted  for  using  the 
credentials  they  lifted  to  buy  gift  cards  for, 


44  JUNE  15,  2007  |  www.cio.com 


wm 


,  .1  .V>?tv  r 

,  >  ■ 


HOW  TO  EXPECT  THE  UNEXPECTED 


Quick,  take  a  snapshot.  Suddenly  part  of 
your  IT  infrastructure  is  inaccessible.  What 
happens  to  your  business? 

SunGard’s  Advanced  Recovery3”  solutions 
help  get  you  back  up  and  running.  Fast. 

We  provide  extensive  options  to  fit  your  exact 
requirements,  from  tape  or  disk  backup,  to 
data  replication,  mirroring,  hotsites,  mobile 
solutions  and  more. 

Meet  your  objectives  with  confidence. 

For  over  28  years,  through  2,100  recovery 
situations,  we’ve  delivered  a  1 00%  success 
rate.  With  solutions  that  achieve  precise 
recovery  timeframes,  locations  and 
data  points. 

And  you  can  maintain  that  control  as  your 
business  evolves.  With  access  to  some 
of  the  most  extensive  data,  system  and 
network  resources  available  anywhere. 

Reach  higher  levels  of  Information 
Availability,  at  a  fraction  of  the  cost  of 
building  the  infrastructure  yourself. 

The  right  solution  for  today.  Strong 
preparation  for  tomorrow.  Let  SunGard 
show  you  how  to  expect  the  unexpected. 


SUNGARD 

Availability  Services 


Keeping  People 
and  Information 
Connected! 


680  East  Swedesford  Road,  Wayne  PA  19087 
800-468-7483  |  www.availability.sungard.com 


BE  PREPARED.  FOR  A  FREE  COPY  OF  “SUNGARD’S  PANDEMIC  PREPAREDNESS  CHECKLIST” 
VISITWWW.AVAILABILITY.SUNGARD.COM/PANDEMIC  OR  CALL  1-800-468-7483. 


'ft ;  ■  ■ 

.asm 

■  v.  n  ■ 


iii* 
. ,  ... 

( i . 


Cybercrime  Special  Report  |  IT  Scams 


what,  like  $20Gs  or  something?  I  mean, 
you  buy  a  $20,000  gift  card,  someone’s 
going  to  notice.  So  don’t  do  Visa’s  job  for 
them.  All  it  takes  is  one  jerk  who  gets  some 
credit  and  buys  a  Bentley  to  take  down  an 
entire  business.  Find  guys  who  can  wait  to 
use  the  credentials  and  then,  when  they  do, 
use  them  in  a  way  that  looks  normal. 

They  Gamble;  We  Don't 

Right  now,  we’re  setting  up  a  service  out  of 
Costa  Rica.  It’s  a— how  do  I  put  it?— it’s  a 
high-risk,  high-return  investment  service 
for  sports  fans. 

So  how  do  I  set  up  something  like  that? 
Like  any  project,  with  a  lot  of  legwork.  I’ve 
got  to  get  my  guy  in  Costa  Rica  to  set  up 
the  back-end  servers.  Costa  Rica’s  great 
because  everything’s  available  right  in  one 
building.  I  call  my  guy  and  say,  “It’s  MIT.  I 
need  some  stuff.”  He  just  walks  down  the 
hall  to  the  ISP,  gets  servers  and  backups, 
and  then  goes  upstairs  to  the  Web  develop¬ 
ers.  It’s  out-of-the-box,  like  calling  up  IBM 
Global  Services  or  something.  There’s  even 
a  little  online  payment  service  outfit  down 
there.  We  like  it  better  than  the  big  ones 
up  here  because  those  guys,  they’re  better 
with  international  currency  and  security. 

After  we  get  all  that  going,  we’ve  got  to 
do  all  the  testing.  I’m  telling  you,  it’s  really 
not  much  different  than  those  e-commerce 
projects  I  read  about  in  CIO.  We  do  the 
same  due  diligence.  Same  troubleshooting. 
Same  thing  with  bosses  yelling,  “MIT,  you 
got  that  site  up  yet?  Super  Bowl’s  in  a  few 
weeks.  Site’s  gotta  be  up  for  that!” 

They  ask  for  some  ROI  up  front,  by  the 
way.  It’s  a  little  more  informal  than  the 
way  most  of  your  readers  do  it.  They’ll 
ask,  “Ballpark,  what  do  we  gotta  spend?”  I 
give  them  a  number.  They  say,  “What  can 
we  clear  in  an  average  month?”  I  give  them 
another  number.  I’m  not  making  these  up 
either.  I  ask  around.  I  mean,  that’s  cost- 
benefit  analysis  right  there,  right? 

Anyway,  once  that  site’s  up  and  running 
it’ll  be  a  nice  little  business.. .for  the  over¬ 
seas  market,  of  course. 

Even  Crooks 
Need  Security 

I  invest  in  top-notch  security  because, 
believe  me,  gaming  sites  are  constantly 


dealing  with  extortion.  Criminals.  Not  a 
day  goes  by  when  a  site  doesn’t  have  some 
Russian  hacker  launching  a  DDoS  attack, 
asking  for  cash  to  call  it  off.  We  encrypt 
everything,  and  we’ve  got 
pretty  severe  authentication 
for  access.  We  don’t  out¬ 
source  or  contract  the  secu¬ 
rity.  We  keep  it  in-house. 

I  pay  my  security  guy  well. 

I’d  say  about  25  to  30  percent 
above  what  you’d  pay.  Met 
him  at  the  Black  Hat  con¬ 
ference  in  Vegas  a  couple  of 
years  ago.  I  liked  him  right 
away  because  he  wasn’t  pre¬ 
senting  or  bragging  about 
what  a  hotshot  he  was.  He 
was  in  the  back,  taking  notes, 
trying  to  learn.  Quiet.  I  knew 
right  away  he’d  fit  in. 

I’ve  also  tasked  him  (that’s 
how  you  say  it,  right?)  with  internal  secu¬ 
rity.  Basically,  his  job  is  chief  privacy  offi¬ 
cer  for  a  bunch  of  guys  who  really  value 
privacy.  All  this  technology— phones,  the 
Internet— it’s  all  great  for  making  money, 
but  the  problem  is,  everything  gets  logged. 
My  security  guy  has  written  and  used  lots 
of  antiforensic  tools  to  erase  those  logs, 
and  I’m  comfortable  telling  my  boss  we 
have  better  privacy  than  the  big  banks. 
My  security  guy  knows  how  to  disable  the 
GPS  in  our  cell  phones.  He’s  building  some 
routing  programs,  sort  of  like  that  Onion 
Router  project  that,  like  it  says  on  their 
website,  “prevents  the  transport  medium 
from  knowing  who  is  communicating 
with  whom”  so  that  anything  we  send  over 
the  Internet  is  scrambled  through  differ¬ 
ent  routes  and  hops  all  over  the  world, 
completely  anonymous  and  untraceable. 
And  everything,  I  mean  everything,  is 
encrypted.  Say  someone  stole  the  servers 
we  keep  here  at  the  home  office.  My  guy 
designed  it  so  that  really  only  two  people 
can  access  the  data:  me  and  him.  We  have 
the  private  keys  and  no  one  else  does.  Not 
even  the  boss. 

My  Kind  of  Guys 

The  guys  I  keep,  or  keep  on  a  kind  of 
retainer,  are  the  ones  that  show  me  some¬ 
thing  extra.  We  had  one  guy  who  came  to 


My  bosses 
don’t  let 
me  spend 
a  dime  on 
anything 
that’s  not 
going  to 
make  them 
money. 
Why  should 
they? 


■ 

m 


us  selling  a  great  new  way  to  set  up  tem¬ 
porary  international  cell  phone  accounts, 
using  credentials  bought  in  the  identity 
market.  Guys  will  pay  a  lot  for  a  disposable 
international  cell  phone. 
We  bought  some  and  were 
so  impressed  we  decided 
to  get  into  business  with 
him.  He  set  up  the  phones; 
we  handled  distribution. 
I  asked  the  guy  what  else 
he  was  working  on.  He 
flips  his  laptop  around  and 
shows  me  his  own  website 
where  he’s  auctioning  off 
credit  credentials  to  the 
highest  bidder.  Slick.  I  said 
to  him,  “You  could  be  our 
R&D.”  He  said,  “Cool.”  And 
that  was  that. 

Compared  to  you  guys, 
I’m  pretty  lucky  with  tal¬ 
ent.  My  guys  are  way  ahead  on  the  technol¬ 
ogy.  They  work  hard.  They’re  innovative 
and  entrepreneurial.  I  think  they’re  some 
of  the  most  talented  IT  staff  around. 

Alignment 
Among  Thieves 

Actually,  there  is  one  way  you  and  I  are  dif¬ 
ferent.  I  read  all  those  stories  in  CIO  about 
how  hard  you  have  to  work  to  align  tech¬ 
nology  with  the  business’s  goals.  That’s  one 
problem  I  don’t  have.  My  bosses  don’t  let  me 
spend  a  dime  on  anything  that’s  not  going 
to  make  them  money.  Why  should  they? 
And  I  wouldn’t  even  think  about  investing 
in  a  huge  project  that  might  fail  to  live  up 
to  expectations.  I  don’t  get  play  money  to 
buy  technology  that  doesn’t  work.  I  don’t 
have  vendors  paying  the  freight  to  confer¬ 
ences  at  swank  resorts  to  convince  me  to 
invest  in  something  that’s  half-developed 
and  overhyped.  I  never  use  jargon.  I  spend 
zero  time  doing  PowerPoints. 

Speculation?  That’s  not  part  of  our  busi¬ 
ness  model.  So  maybe  I  don’t  get  the  newest 
gadgets  all  the  time  but,  man,  I  am  aligned. 
With  the  business.  With  the  bosses.  There’s 
really  no  other  choice,  you  know?  QQ 

CSO  Executive  Editor  Scott  Berinato  can  be 
reached  at  sberinato@cxo.com.  To  comment  on 
this  story,  go  to  www.cio.com/articie/117150. 


46  JUNE  15,  2007  |  www.cio.com 


Leaders  Wanted/CIO  Challenge  Series 


Challenge  #4: 

Deliver  business  intelligence  that  inspires  everyone,  even  your  CEO. 


Solution: 

Hyperion — your  management  system  for  the  global  enterprise. 

Here’s  the  paradox:  If  you  give  every  department  the  Bl  they  want,  nobody 
gets  the  Bl  they  really  need.  So  how  do  you  transform  Bl  into  a  strategic  tool 
that  guides  the  enterprise  at  every  level?  Only  Hyperion®  System™  9  BI+™ 
lets  you  produce,  manage  and  deliver  strategic  Bl  that  integrates  your 
financial  and  operational  data.  The  result:  information-rich  reports  that 
allow  management  to  more  accurately  predict  the  future.  More  insights, 
fewer  reports.  Isn’t  that  what  smart  Bl  is  all  about? 


FIND  OUT  HOW  TO  PUT  THE  BUSINESS 
IN  BUSINESS  INTELLIGENCE. 

Go  to  http://smartbi.hyperion.com 

#  Hyperion 

The  future  in  sight 


©  2007  Hyperion  Solutions  Corporation.  All  rights  reserved.  "Hyperion,’’ the  Hyperion  logo,  and  Hyperion's  product  names  are  trademarks  of  Hyperion.  References  to  other  companies  and  their 
products  use  trademarks  owned  by  the  respective  companies  and  are  for  reference  purpose  only. 


MHttwd 


lehtsCJid 
if  (i=0; 


Value  cna 

3,006.62  38. 
2,649.71  33 
807.90^1 

'O.TJJHii 


\jr% 

tw> 

o<ws 

tt-W* 


•  -HIOHTV  CM 

3*6 

3*S 

3*£ 

1 

w 

6f77 

id 

•  .-ns  - 

-1 

I 


CubikCTO 
Greg  Lindberg: 

“If  someone  is 
conservative,  they’re 
never  going  to  get 
into  this  business  in 
the  first  place.” 


Report 


Rarely  acknowledged  by  the  mainstream,  adult  and  gaming 
sites  collect  a  healthy  percentage  of  Web  traffic  and 
account  for  a  good  deal  of  innovation  too. 


Tim  Valenti  and  Greg  Lindberg  are  accidental  pornographers. 

When  the  two  former  advertising  men  started  their  own  Web  design  company, 
Cvibik  Media,  in  the  mid-1990s,  one  of  their  first  clients  was  Eidos  Entertain¬ 
ment,  the  company  that  makes  the  Tomb  Raider  video  game.  Part  of  the  cam¬ 
paign  used  streaming  video,  but  the  new  technology  was  not  ready  for  prime 


::  Why  the  red  light 
Web  is  a  nexus 
for  innovation 

::  New  Internet 
technologies 

::  Innovations  in  mobile 
content  delivery 
and  digital  rights 
management 

PHOTO  BY  ANDY  FREEBERG 


time  and  almost  no  one  had  the  high-speed  connections  necessary  to  view 
the  content.  But  Valenti  and  Lindberg  saw  potential.  On  a  whim,  they  started 
Nakedsword.com,  an  adult  site  for  gay  men,  figuring  that  online  video  would 
save  a  potentially  embarrassing  trip  to  the  video  store.  “We  built  some  pass¬ 
word-protected  areas  and  threw  up  some  videos,  mainly  as  an  experiment,” 
says  Lindberg,  Cubik’s  CTO.  Then  something  unexpected  happened:  “People 
started  buying  it  left  and  right.”  Almost  overnight,  Nakedsword.com  became 
90  percent  of  Cubik’s  business. 


A-  •  '  W.'il: 


. ;  Jp? 


’  •  I  i  !  iiS) 


;-v 

t.  m 


www.cio.com  |  JUNE  15,  2007  49 


Cybercrime  Special  Report 


Emerging  Technologies 


;  RED  LIGHTS,  BIG  NAMES 

i 

;  Under  any  light,  money  is  still  green 

i 

A  naive  view  would  be  to  dismiss  the  Web’s  red  light  district  as  composed  solely 
J  of  sleazy  people  and  websites  with  ridiculous  names.  But  if  you  scratch  the  surface, 
says  Frederick  Lane,  author  of  Obscene  Profits:  The  Entrepreneurs  of  Pornography 
I  in  the  Cyber  Age,  you'll  find  some  extremely  famous,  well-known  and  established 
!  enterprises. 

|  Major  hotel  chains  such  as  Marriott  and  Holiday  Inn  profit  to  the  tune  of  about 

I  $190  million  a  year  on  the  sale  of  adult  movies,  according  to  a  report  by  Citizens  for 
;  Responsibility  and  Ethics  in  Washington  (CREW),  a  government  watch-dog  group. 

I  About  90  percent  of  this  revenue  goes  straight  to  the  bottom  line. 

|  According  to  CREW,  major  cable  companies  such  as  Comcast  and  Time  Warner 
I  also  make  hundreds  of  millions  a  year  selling  pay-per-view  pornography.  And  tele- 

i 

;  phone  companies  earn  close  to  $500  million  every  year  from  phone  sex.  In  the  United 
!  Kingdom,  $41  billion  Vodafone,  one  of  the  world’s  largest  mobile  telecom  companies, 

I 

;  has  been  frank  about  its  decision  to  carry  and  process  payments  for  pornography 
!  sent  to  mobile  phones.  Even  good  old  General  Motors  was  in  the  adult  movie  business 

I 

;  (through  its  Direct  TV  subsidiary)  until  it  sold  that  unit  in  December  2003. 

I  Technology  companies  in  the  Internet  world  are  also  involved  with  pornography 

l 

;  by  helping  to  maintain  the  networks  and  channels  by  which  it’s  delivered.  Of  course, 

1  those  companies  have  a  good  excuse  for  not  calling  attention  to  their  role. 

I 

1  “On  the  Internet,”  puns  Lane,  “all  bits  are  naked."  -B.W. 


In  the  years  since,  Cubik  has  continued 
to  innovate  with  online  video.  It  was  among 
the  first  to  use  Flash  for  streaming  video, 
build  digital  rights  management  capabil¬ 
ity  into  its  movies  and  use  peer-to-peer 
networks  for  distribution.  Most  recently, 

Cubik  is  integrating  a  cutting-edge  digital 
fingerprinting  system  that  can  spot  copy¬ 
righted  material  posted  by  users  on  one  of 
its  sites,  an  adult  version  of  YouTube.  The 
system  works  by  turning  the  sound  waves 
from  a  movie’s  audio  track  into  an  image. 

Every  time  a  user  uploads  a  clip,  the  sys¬ 
tem  makes  a  graph  of  the  new  audio  and 
compares  it  to  the  graphs  in  its  database. 

If  the  clip  a  user  is  trying  to  post  matches  a 
copyrighted  one,  Cubik  takes  it  down. 

“It’s  pretty  amazing,”  says  Lindberg. 

“There  are  lots  of  companies  out  there 
trying  to  solve  this  problem,  but  we  actu¬ 
ally  have  something  that  works.” 

On  the  Cutting  Edge 

Red  light  sites  probably  aren’t  places 
CIOs  normally  would  look  to  find  inno¬ 
vative  IT.  But  the  sex  and  gambling 
industries  have  always  been  at  the  fore¬ 
front  of  technological  innovation.  During  World  War  II,  the  illegal 
telephone  network  that  bookies  developed  was  more  reliable  than 
the  one  the  War  Department  used,  says  Harold  Layer,  professor 
emeritus  at  San  Francisco  State  University.  And  the  pornography 
industry  has  helped  select  technology  winners  and  losers  for  ages. 
In  the  1980s,  for  example,  demand  for  adult  material  gave  VCR 
makers  the  economies  of  scale  they  needed  to  make  their  devices 
affordable,  says  Jonathan  Coopersmith,  a  professor  of  technology 
history  at  Texas  A&M  University. 

But  past  innovations  pale  in  comparison  to  the  rate  at  which 
the  gambling  and  adult  industries  are  blazing  new  ground  on  the 
Internet.  Over  and  over  again,  the  Web’s  red  light  district  has  either 
pioneered  or  adopted  a  technology  before  the  mainstream.  The  first 
customers  of  Duocash,  a  now-defunct  anonymous  payment  sys¬ 
tem  that  allowed  customers  to  pay  for  online  services  with  prepaid 
phone  cards,  were  gambling  sites.  A  random  sampling  of 400,000 
queries  on  the  early  peer-to-peer  file  sharing  network  Gnutella  in 
2003  found  that  42  percent  were  looking  for  porn  (compared  to 
only  38  percent  looking  for  music).  And  content  delivery  for  mobile 
devices  is  now  dominated  by  the  adult  and  casino  industries  to 
such  an  extent  that  3G,  the  high-speed  mobile  communication  net¬ 
work,  ought  to  stand  for  girls,  games  and  gambling. 

Today,  adult  websites  make  up  12  percent  of  the  Internet,  accord¬ 
ing  to  Top  Ten  Reviews.  These  sites  attract  72  million  unique  visitors 
a  month  (more  than  28,000  people  are  viewing  Internet  pornogra¬ 
phy  at  any  given  second)  and  the  sex  sites’  annual  sales  approach 
$5  billion,  higher  than  the  combined  revenues  of  the  ABC,  CBS  and 


NBC  television  networks.  (Coopersmith  warns  that  people  should 
take  numbers  measuring  the  size  of  the  adult  industry  with  a  grain 
of  salt.  “It’s  like  sex  in  general,”  he  says.  “People  exaggerate.”) 

Meanwhile,  the  online  gambling  industry  has  made  its  sites 
incredibly  sticky.  According  to  Nielsen/NetRatings,  visitors  to 
the  top  gambling  sites  spend  an  average  of  13  hours  at  the  sites  a 
month.  The  worldwide  average  for  all  sites  is  just  28  minutes. 

There  are  several  reasons  why  the  red  light  Web  embraces 
innovation.  Its  target  audience— males,  18  to  50— is  a  demo¬ 
graphic  that  gravitates  to  new  technology.  Good  technology  is 
also  a  business  necessity.  “[Gambling  and  adult  companies]  have 
been  forced  to  be  innovative  by  constant  attempts  to  legislate 
them  away,”  say  Lawrence  Walters,  a  First  Amendment  lawyer 
at  the  firm  Weston,  Garrou,  DeWitt  &  Walters.  In  fact,  the  U.S. 
government  passed  a  law  late  last  year  that  makes  it  illegal  for 
Americans  to  spend  money  at  online  casinos,  a  move  that  devas¬ 
tated  the  industry.  The  risk  of  prosecution  has  also  kept  gambling 
and  adult  sites  from  growing  into  large  corporate  entities.  (See 
“Red  Lights,  Big  Names,”  this  page.)  “As  a  result  they’ve  tended 
to  remain  small  and  entrepreneurial,”  Walters  says. 

Technology  is  also  one  of  the  few  ways  that  sites  can  differenti¬ 
ate  themselves.  “We  have  to  compete  with  free  porn,”  says  James 
Cybert,  director  of  IT  for  Hotmovies.com.  “What  makes  us  compet¬ 
itive  is  being  virus-free  and  the  consumer  experience.  If  you  aren’t 
able  to  keep  up  with  the  technology  you’ll  be  beat  over  the  head.” 

Or  as  Calvin  Ayre,  founder  of  the  online  gambling  site  Bodog. 
com,  says,  “Technology  is  our  lifeblood. 


50  JUNE  15,  2007  |  www.cio.com 


Red  Light  Technologies 

So  what  are  the  latest  technologies  developed  or  perfected  on  the 
red  light  Web  that  will  eventually  make  their  way  into  the  main¬ 
stream?  CIO  talked  to  IT  leaders  at  some  leading  adult  and  gam¬ 
bling  sites  so  you  don’t  have  to.  These  are  some  of  the  technologies 
that  they  are  looking  at. 

►  IPTV;  MPEG-4;  Smart  Search 

Scott  Piper,  CIO  of  New  Frontier  Media  (one  of  the  few  publicly 
traded  adult  companies),  is  keeping  an  eye  on  IPTV— television 
delivered  over  the  Internet.  Over  the  next  five  years,  he  predicts 
that  the  distinction  between  televisions  and  computers  will  disap¬ 
pear.  There  are  three  models  for  how  this  could  happen:  set-top 
boxes  that  connect  to  the  Internet  (with  the  user  experience 
controlled  by  a  cable  company);  computer  monitors 
in  the  living  room  that  run  media  software  (Piper 
says  that  Vista  may  finally  make  this  viable); 
and  appliances  that  forward  computer  con 
tent  to  a  television,  like  the  new  Apple  TV. 

Of  course,  IPTV  content  won’t  appear 
on  the  Internet  by  itself.  That  will  put 
CIOs  in  the  TV  business.  “IPTV  will 
blur  the  line  between  the  data  center 
and  the  broadcast  center,”  says  Piper. 

To  make  your  data  available  to  these 
new  IPTV  consumers,  CIOs  will  have  to 
digitally  encode  everything.  Most  of  the 
major  film  studios  are  just  beginning  that 
process;  New  Frontier  began  digitizing  its 
movies  five  years  ago.  One  of  the  technologies 
New  Frontier  is  using  for  this  is  MPEG-4,  an  emerging 
compression  standard.  Videos  compressed  with  MPEG-4  take 
less  space  to  store  and  less  bandwidth  to  deliver.  MPEG-4  also 
has  built-in  digital  rights  management  capability. 

But  compressing  and  posting  content  is  the  easy  part.  With 
every  program  available  at  any  moment,  how  will  users  find  pro¬ 
grams?  Piper  believes  that  search  will  be  the  killer  app  of  IPTV. 
To  that  end,  New  Frontier  is  obsessive  about  metadata,  watching 
every  frame  of  every  video  it  digitizes  and  recording  as  many 
attributes  as  it  can.  Customers  can  use  these  metadata  tags  to 
refine  their  searches  until  they  find  precisely  what  they’re  look¬ 
ing  for.  (For  example,  if  you  have  a  thing  for  blondes  on  the  beach, 
a  search  on  New  Frontier’s  adult  website  Ten.com  for  “cloth- 
ing-accessories-sunglasses,”  combined  with  “setting-outdoors- 
beach,”  and  “physical-hair-blonde,”  returns  two  15-minute  clips, 
the  fourth  scene  from  Lock,  Stock  and  Two  Smoking  Bimbos  2  and 
the  first  scene  from  Pick  Up  Lines  82.) 

IPTV  will  require  this  kind  of  search  on  steroids.  “There  will 
be  so  much  choice  that  the  average  consumer  will  be  frustrated 
without  concise  recommendations,”  says  Piper.  New  Frontier  is 
experimenting  with  a  search  that  combines  what  people  are  look¬ 
ing  for  with  information  about  past  preferences.  “This  will  not 
only  be  a  great  up-sell  vehicle  but  also  an  avenue  by  which  we 
can  broaden  people’s  tastes,”  Piper  says. 


-James  Cybert,  director  of  IT, 
Hotmovies.com 


►  Mobile  Content  Delivery 

One  of  the  biggest  areas  of  growth  in  the  adult  space  is  delivering 
content  to  mobile  phones.  There  are  more  than  three  times  as  many 
mobile  phones  in  the  world  as  there  are  computers.  Plus,  people 
always  have  their  phones  with  them.  And  that’s  important.  “By  its 
very  nature,  arousal  is  impulsive,”  says  Julia  Dimambro,  manag¬ 
ing  director  of  Barcelona-based  Cherrysauce,  which  delivers  adult 
material  to  mobile  phones.  “Mobile  brings  immediate  gratification. 
With  the  Internet,  you  have  to  wait  until  you  get  home.” 

Dimambro  points  out  that  what  works  on  television  and  the 
Internet  won’t  necessarily  work  on  the  phone’s  small  screen.  For 
starters,  the  screen  dimensions  are  different,  which  means  exist¬ 
ing  video  form  factors,  as  well  as  other  content,  have  to  be  recon¬ 
figured  to  fit  or  be  specifically  conceived  with  the  mobile 
phone  in  mind. 

One  type  of  mobile  promotion  meeting  with 
some  success  is  “bluecasting.”  For  exam- 

»ple,  an  advertiser  will  have  a  billboard  in 
Heathrow  Airport  that  says  that  anyone 
interested  in  learning  about  a  particu- 
I  lar  product  (say  a  Range  Rover  SUV) 
I  should  turn  on  their  phone’s  Bluetooth 
I  capability.  The  billboard  then  detects 
[  the  phone  and  sends  it  an  advertise¬ 
ment  or  promotion  for  the  product. 

One  of  the  services  that  Cherrysauce 
is  experimenting  with  is  putting  plasma 
screen  TVs  in  pubs.  The  screen  shows  a  pic¬ 
ture  of  a  sexy  woman  and  then  prompts  view¬ 
ers  to  switch  on  the  Bluetooth  on  their  handset. 
This  then  allows  the  “bluejacking”  box  at  the  side  of 
the  TV  screen  to  send  content  directly  to  the  handset.  Another 
marketing  initiative  places  advertisements  on  TV  or  in  print  and 
asks  viewers  to  send  a  text  message  to  a  special  short  code  number, 
like  12345,  if  they  want  to  see  more.  If  they  do,  a  link  to  download 
the  content  is  returned  to  their  handset  via  SMS  or  WAP  mes¬ 
sage,  sometimes  with  a  charge  attached.  This  is  a  process  called 
premium  SMS,  and  it’s  a  way  of  giving  customers  access  to  the 
mobile  Web  without  requiring  them  to  type  in  complicated  URLs. 
Each  short  code  number  is  registered  with  the  mobile  service  pro¬ 
viders.  “If  the  user  sends  his  text  message  to  an  adult  short  code,  he 
is  checked  automatically  to  see  if  he  has  age-verified  with  his  net¬ 
work,”  such  as  $41  billion  British  mobile  giant  Vodafone,  explains 
Dimambro.  “If  not,  he  is  sent  to  the  age  verification  service  in  order 
to  access  the  content.” 

►  New  Programming  Languages 

The  user  experience  is  central  to  the  success  of  any  site.  And  so 
red  light  sites  are  trying  to  find  the  latest  and  best  programming 
languages  in  order  to  improve  the  way  their  sites  look  and  feel. 

“Java  is  really  robust,”  says  Bodog  founder  Ayre.  “But  it’s  a 
pretty  expensive  development  platform.  We’re  starting  to  see  the 
emergence  of  a  new  wave  of  Web-savvy  languages.”  The  one  he 
likes  the  best  right  now  is  Ruby  on  Rails,  an  open-source  language 


www.cio.com  |  JUNE  15,  2007  51 


Cybercrime  Special  Report  |  Emerging  Technologies 


that  was  designed  to  facilitate  the  develop¬ 
ment  of  Web  applications  with  database 
back  ends.  “There’s  nothing  that  Rails  lets 
us  do  that  we  can’t  do  with  other  tools,” 
says  Ayre,  “but  Rails  holds  the  promise 
of  doing  it  faster,  and  the  more  productive 
our  product  development  teams  are,  the 
more  features  we  can  deliver.” 

Bodog  is  also  moving  away  from  Java 
toward  Flash  for  online  games  such  as 
poker.  Building  the  games  with  Flash 
means  that  users  can  play  them  without 
having  to  download  anything.  “Down¬ 
loading  is  an  entry  barrier  that  Flash  elim¬ 
inates,”  says  Ayre.  “We  know  that  given  a 
choice,  most  players  will  choose  a  Flash 
version  of  a  game  versus  a  downloadable  " 
one.”  And  now  Flash  is  robust  enough 
that  Bodog  can  build  sophisticated  games  with  it. 


►  Personalization  and  Customization 

There  are  so  many  different  red  light  sites  competing  for  dollars  and 
eyeballs  that  the  only  way  to  succeed  is  to  build  a  relationship  with 
the  user,  and  gambling  and  adult  sites  have  managed  to  personalize 
the  user  experience  to  an  impressive  degree. 

“Over  the  last  few  years  we’ve  seen  our  design  team  evolve  into 
a  user  experience  department,”  says  Ayre.  This  group  takes  into 
account  everything  from  color  theory  to  informational  hierarchies. 
For  example,  one  of  the  first  things  Bodog  learned  when  it  launched 
the  latest  version  of  its  site  was  that  people  don’t  like  red  poker 
tables.  So  the  company  came  up  with  a  tool  that  lets  users  choose 
the  color  they  want  their  table  to  be,  and  traffic  picked  up. 

At  Hotmovies.com,  IT  Director  Cybert  has  built  a  drag-and- 
drop  tool  that  lets  his  customers  compile  scenes  or  parts  of  scenes 
from  their  favorite  videos.  So  far,  customers  have  made  4,800 
compilation  movies  consisting  of  more  than  350,000  clips. 

And  not  only  does  the  compilation  function  allow  users  to  create 
their  own  highly  personalized  experience,  it  gives  Hotmovies  data 
on  the  kind  of  videos  each  user  is  looking  for.  “You  have  to  under¬ 
stand  your  audience  and  give  them  what  they  want,”  says  Cybert. 

There  are  also  ways  to  customize  a  site  even  if  the  person  visiting 
has  never  been  there  before.  Cubik  Media  uses  geotargeting,  a  tech¬ 
nique  that  locates  people  based  on  their  IP  addresses,  to  tailor  the 
user  experience.  At  its  most  basic,  geocoding  allows  Cubik  to  display 
the  site  in  the  user’s  native  language.  But  it  also  presents  a  chance  to 
localize  the  site.  “Someone  from  Japan  wants  to  see  Asian  girls,”  says 
Lindberg.  “People  want  an  experience  that 
feels  like  their  culture.” 


A  HISTORY  OF  INNOVATION 

Technologies  spawned  or  matured  in  the  Web’s  red  light  district 

Streaming  video.  YouTube  made  it  famous;  adult  movies  made  it 
economically  viable. 

Videoconferencing.  Businesspeople  increasingly  use  online  chat  and  embedded 
video  rather  than  conducting  face-to-face  meetings.  Before  that,  it  was  used  to 
communicate  with  Live!  Girls!  Now! 

Digital  rights  management.  Through  their  disregard  for  intellectual  property 
rights,  adult  sites  helped  spur  the  music  and  film  industries  to  apply  DRM  to  their 
online  content. 

C-commerce.  The  content  on  adult  sites  was  so  compelling  (to  some),  it  helped  peo¬ 
ple  overcome  their  fear  of  using  a  credit  card  online,  according  to  Frederick  Lane,  author 
of  Obscene  Profits:  The  Entrepreneurs  of  Pornography  in  the  Cyber  Age.  -B.W. 


Talking  About  Innovation 


Red  Lights, 

Best  Practices 

Historically,  gambling  and  adult  sites  have 
been  more  willing  than  their  mainstream 
counterparts  to  work  with  startup  vendors. 


You  don't  have  a  red  light  model  but  you  still 
need  to  innovate.  Well,  CIO  Executive  Editor 
Elana  Varon  is  all  about  innovation.  Keep  up 
with  her  blog,  PRACTICAL  INNOVATION,  at 
advice.cio.com/practicalinnovation. 

cio.com 


“They’re  much  more  willing  to  fund  new  technology,”  says  Has- 
san  Kotob,  CEO  of  North  Plains  Systems,  a  digital  asset  manage¬ 
ment  vendor.  “At  the  end  of  the  day,  content  is  all  that  they  have  so 
an  innovative  technology  can  go  straight  to  the  bottom  line.” 

“We’re  looking  for  solutions  that  will  allow  us  to  improve  by 
large  margins,”  says  New  Frontier  CIO  Piper.  “We  won’t  buy 
faster  storage  arrays  if  they  only  give  us  10  percent  improve¬ 
ments.  We’re  looking  for  50  percent  or  greater.”  Examples  of  new 
technologies  that  New  Frontier  has  invested  in  are  high-speed 
network  storage  that  allows  the  company  to  stop  writing  to  tape 
because  speed  went  up  by  a  factor  of  10,  and  backup  systems  that 
don’t  take  a  storage  array  offline  while  the  backup  is  running. 

Another  red  light  best  practice  is  to  look  for  vendors  that 
use  open  source.  Since  sites  are  open  24/7  (late-night  hours  are 
extremely  profitable  on  the  red  light  Web),  “if  we  ever  run  into 
critical  issues  we  need  them  solved  now,  not  two  hours  from 
now,”  says  Bodog’s  Ayre,  who  has  learned  that  if  he  wants  his 
people  to  be  able  to  fix  something,  they  need  to  have  access  to  the 
source  code. 

“We  absolutely  could  not  get  a  couple  of  our  vendors  to  address 
an  issue  that  was  crippling  us,”  says  Ayre.  “Under  peak  loads, 
the  entire  site  became  nonresponsive.  We  had  no  choice  but  to 
decompile  the  systems  in  question  and  fix  the  problem  ourselves. 
This  was  probably  one  of  the  biggest  drivers  pushing  us  to  adopt 
open-source  solutions  for  our  most  critical  systems.” 

The  red  light  Web  has  all  the  hallmarks  of  a  new  technology 
incubator.  It  has  a  technology-savvy  target  audience,  and  “if 
someone  is  conservative,  they’re  never  going  to  get  into  this  busi¬ 
ness  in  the  first  place,”  says  Lindberg. 

In  other  words,  the  red  light  Web  is  a  place 
where  CIOs  might  be  able  to  learn  some¬ 
thing.  And  that  may  justify  an  occasional 
trip.. .you  know,  for  the  technology.  BQ 


To  comment  on  this  article,  go  to  www.cio.com/ 
article/117050. 


52  JUNE  15,  2007  |  www.cio.com 


^  '2 


EXTEND 


collaboration  to  every  link  of  the  supply  chain 


You're  charged  with  helping  people  work  together.  Regardless 
of  time,  place  or  where  they  enter  the  process.  MPLS-based 
IP  networking  connects  employees  inside  and  partners 
outside,  so  they  can  work  as  one.  That's  collaboration. 
Delivered.  For  everything  you  need  for  your  world,  go  to 
att.com/onwardenterprise.  And  it's  onward,  business. 


ITf  a, 


att.com/onwardenterprise 


TST; 

The  Strategic  CIO 

FULFILLING  THE  ROLE'S  NEW  MANDATE 

i 

By  the  leaders  of  the  CIO  Executive  Council 

IT’s  Corporate  Vision 

The  CIO  of  Toyota  Motor  Sales  USA  combined  focus  groups,  critical  analysis  and  information 
integration  to  bridge  Toyota  silos,  craft  a  long-term  vision  and  cultivate  a  strategic  orientation 

BY  BARBRA  COOPER 


Too  often  CIOs  sit  and  lament  that  their  business 
doesn’t  provide  them  with  a  clear  strategy  to  map 
to— something  complete,  enterprisewide  and 
wrapped  in  a  nice  leather  binder.  I  was  tired  of  being 
one  of  these  CIOs.  At  Toyota,  we  were  making  significant  invest¬ 
ments  in  functional  systems  for  discrete  parts  of  the  business 
without  an  overall  view  either  of  how  these  systems  might  be 
better  leveraged  across  the  supply  chain  or  how  the  business 
would  need  to  operate  over  the  coming  years.  IT  was  all  about 
service,  alignment  and  value;  we  had  no  rights  to  influence  the 
strategic  direction  of  the  business.  We  were  always  behind  the 
business  waiting  for  the  handoff.  I  determined  to  change  that. 

I  wasn’t  so  overt  as  to  say  I’m  going  off  to  establish  a  beach¬ 
head  in  the  strategic  planning  department.  I  simply  started  a 
series  of  focus  groups  with  individuals  from  the  planning  side 
of  IT  and  midlevel  managers  from  the  planning  organizations 
and  line  operations  on  the  business  side.  I  deliberately  started 
at  the  middle  level  of  the  organization.  When  you  get  that  level 
of  people  together  and  make  it  comfortable  for  them  to  speak  up, 
they  will  share  where  they  see  gaps  and  opportunities.  In  fact, 
they  were  pleased  that  someone  was  asking  for  their  input.  And, 
because  managers  from  these  different  organizations  generally 
work  separately,  they  were  happy  to  be  together  in  a  room  with 
their  peers  from  across  the  company.  To  take  away  any  pressure, 
we  asked  them  to  focus  10  to  IS  years  out.  If  you’re  talking  three 
years  out,  it’s  more  real.  Farther  out,  you  can  fantasize  a  journey, 
but  use  the  train  tracks  of  the  business  to  get  you  there. 

One  area  we  discussed  was  quality.  We  asked.  Can  we 


54  JUNE  15,  2007  |  www.cio.com 


ILLUSTRATION  BY  IMAGES.COM/CORBIS 


•  ,;.-n  v  v  s 


GET  MORE  CONTROL 
BY  CONTROLLING  LESS. 

UNLEARN  OUTSOURCING. 

Gaining  control  and  flexibility  through  outsourcing  isn’t  a  contradiction.  At  least  not 
for  those  who’ve  unlearned  outsourcing  misconceptions  and  know  the  true  benefits 
of  outsourcing.  Unisys  Outsourcing  Solutions  are  tailored  to  provide  the  best  fit  for 
your  organization  and  change  as  your  needs  change.  Our  solution  design  models  enable 
us  to  collaboratively  define  your  initial  service  requirements  and  fine-tune  service 
management  over  time.  Whether  you’re  expanding  into  new  markets  or  integrating  for 
growth  in  existing  ones,  Unisys  Solutions  for  Secure  Business  Operations  provide 
better  control  of  your  business  performance  and  your  customer  experience.  Perfect  for 
unleashing  your  full  business  potential.  Unlearning  is  just  the  beginning. 


Security  unleashed. 


UNISYS 


Secure  Business  Operations,  imagine  it  done. 


Corporation.  Unisys  is  a  registered  trademark  of  Unisys  Corporation. 


www.securityunleashed.com 


The  Strategic  CIO  FULFILLING  THE  ROLE'S  NEW  MANDATE 


maintain  our  relentless  focus  on  quality  with  larger  volumes 
and  increased  complexity  of  product  lines?  What  would  that 
mean  10  to  15  years  from  now  to  our  current  business  pro¬ 
cesses,  our  customers  and  our  application  portfolio?  What 
effect  would  telematics  have,  when  every  Toyota  on  the  road 
is  equipped  to  send  maintenance  and  performance 
data  back  to  the  company?  We  looked  at  how  we  would 
connect  from  Japan  all  the  way  through  the  supply  chain  to 
our  U.S.  dealers  and  customers. 

After  these  meetings,  we  had  enough  information  to 
coalesce  10  business  themes.  I  brought  the  results  to  the  top 
executives  at  the  company.  I  was  careful  to  frame  the  presenta¬ 
tion  as  a  request  for  advice.  I  told  them,  “As  you  know,  we  have 
a  real  challenge  in  IT  with  more  demand  than  supply,  and  we 
want  to  try  to  get  ahead  of  the  curve.  The  more  I  can  antici¬ 
pate,  the  better  we  will  be  at  fulfillment.”  I  wanted  to  get  them 

comfortable  talking  about  the 
future  and  get  their  opinions 
about  the  business  drivers 
I  was  putting  on  the  table. 
They  suggested  some  edits 
and  signed  off  on  the  strategic 
vision. 


A  New  Strategic  Picture 

My  next  step  was  to  use  those  drivers  as  compass  points  in  a 
model  that  would  frame  the  issues  for  the  top  executives.  We 
mapped  aspects  of  our  business,  such  as  the  supply  chain,  to 
their  associated  organizations  (such  as  aftermarket  parts)  and 
business  processes,  as  well  as  the  affiliated  systems  and  their 
fully  loaded  costs.  (We  had  done  a  detailed  audit  of  all  of  our 
systems  costs,  so  those  data  points  were  accessible  to  us.)  Then 
we  ran  a  regression  analysis  to  derive  risk  parameters  such  as 
the  age  and  cost  of  systems  and  the  skill  sets  needed  to  support 
them.  We  plotted  points  of  risk  on  the  model. 

When  we  were  finished,  our  executives  could  see  on  a  single 
sheet  of  6-foot-by-4-foot  paper  everything  they  needed  to  draw 
conclusions  regarding  the  risk  associated  with  our  strategic 
business  drivers  and  the  systems  that  support  them.  For  the 
first  time  our  executives  could  see  how  changing  business  con¬ 
ditions  anywhere  along  the  supply  chain  would  affect  their  IT 
portfolio.  We  also  created  a  second  layer  of  information  to  show 
the  real-time  situation  and  the  short-term  factors  in  play. 

The  conversation  changed.  The  executives  were  now  able 
to  see  how  applications— whether  our  30-year-old  legacy  sys¬ 
tems  or  the  technology  we  were  planning  to  bring  in— mapped 
to  their  business  drivers.  They  now  understood  the  correla- 


Map  Your  Business  Strategy 


Download  Barbra  Cooper’s  template 

for  ALIGNING  BUSINESS  STRATEGY 
WITH  I.T.  at  www.cio.com/article/ 

108251  cio.com 


•  This  little  server  offers  zero  MTBF  — 


•  This  little  server  went  to  a  Fortune  500  company. 


•  This  little  server  can  have  up  to  six  hot-swap 
SAS  and  SATA  II  hard  drives. 


•  This  little  server  earned  the  Best  of  FOSE  2007 
Award  and  makes  a  rack  its  home. 


none. 


So  what's  stopping  you  from  ordering  yours  today? 


•  And  this  little  server  went  wee-wee-wee  all  the 
way  back  to  the  factory  because  on  the  87th  day, 
the  CEO  decided  he  didn't  like  little  blue  lights 
—  and  Gateway  didn't  ask  questions.  Not  a  one. 


tion  between  their  ability  to  go  to  market,  the  cost 
impacts  and  how  many  competing  interests  would 
be  vying  across  the  enterprise  at  the  same  time. 
One  executive,  contemplating  the  challenges  a  few 
years  down  the  road,  looked  at  his  watch  and  joked, 
“Thankfully,  I’ll  be  retired  before  then.” 

Connecting  Silos 


The  head  of  marketing  is  going  to 
worry  about  marketing,  and  the 
head  of  engineering  is  going  to 
worry  about  engineering.  But  you 
can  help  them  articulate  a  set  of 
broad,  long-term  objectives. 


Four  years  have  passed  since  I  began  the  effort  to 
make  IT  a  core  element  of  our  strategic  planning  process.  I’ve 
realized  that  you  can’t  change  the  fact  that  silos  exist— that  the 
head  of  marketing  is  going  to  worry  about  marketing,  and  the 
head  of  engineering  is  going  to  worry  about  engineering.  But 
you  can  help  them  to  articulate  together  a  set  of  broad,  long¬ 
term  objectives.  We  have  succeeded  at  getting  executives  com¬ 
fortable  talking  about  strategic  issues  at  an  enterprise  level. 
Meanwhile,  they  appreciate  better  the  complexity  and  chal¬ 
lenge  of  integrating  business  processes,  IT  and  go-to-market 
strategies. 

My  role  has  changed.  Fifty  percent  of  my  focus  is  now  on 
business  engagement  and  strategy.  My  attention  to  the  future 
of  the  business  has  also  helped  focus  my  attention  on  the  next 
generation  of  IT  leaders  in  the  company— the  people  who  will 


succeed  me.  I  want  to  see  a  day  when,  in  an  executive  commit¬ 
tee  meeting,  we  CIOs  are  no  longer  asked  solely  about  how 
our  projects  are  going  and  the  condition  of  our  operations,  but 
are  also  asked  for  our  strategic  perspective.  Business  execu¬ 
tives  should  see  the  CIO  as  the  person  with  the  best  overview 
of  company  operations— and  thus  the  person  best  positioned 
to  look  strategically  at  how  to  optimize  her  company’s  go-to- 
market  capabilities.  We  are  getting  there,  but  we  have  to  drive 
ourselves.  BE] 


Barbra  Cooper  is  group  VP  and  CIO  at  Toyota  Motor 
Sales  USA.  She  is  also  a  member  of  the  CIO  Execu¬ 
tive  Council.  Go  to  www.cio.com/cec/strategic_cio/ 
to  find  more  Strategic  CIO  columns  and  tools. 


Gateway  Server  Solutions 
are  100%  Satisfaction 

GUARANTEED. 

IT  MAY  SOUND  LIKE  A  FAIRY  TALE,  BUT  IT'S  TRUE. 

At  Gateway,  we're  fun  to  work  with,  but  very  serious  about  our 
enterprise  solutions.  In  fact,  we  offer  a  complete  suite  of  Intel®  and 
AMD®  processor-based  servers  that  feature  total  control  management 
capabilities,  RAID  options  and  24/7  U.S.-based  telephone  tech  support] 
If  you're  not  completely  satisfied  with  your  new  Gateway®  server, 
simply  return  it  within  90  days  of  receipt  for  a  full  refund?  That  means 
you  have  zero  risk.  What's  more  fun  than  that? 


866-590-6466 

www.gateway.com/servers7 


V  Gateway. 

All  offers  valid  in  the  U.S.  only  and  are  subject  to  change  without  notice  or  obligation.  May  not  be  available  through  all  sales 
channels.  1.  Service  methods  subject  to  change  without  notice  or  obligation.  2.  Returns  accepted  within  90  days  of  delivery  for 
refund  of  original  product  (server,  storage  or  networking  —  in  same  condition  as  purchased),  purchase  price  and  shipping  & 
handling  fees  will  be  refunded.  Any  additional  fees,  such  as  installation  services,  will  not  be  refunded.  Customer  is  responsible  for 
removal  of  confidential  information  and  return  shipping  &  handling  fees.  Offer  subject  to  change  without  notice  or  obligatiO' . 
call  for  details.  ©2007  Gateway,  Inc.  Gateway  Terms  and  Conditions  of  Sale  apply.  Trademarks  used  herein  are  trademarks  or 
registered  trademarks  of  Gateway,  Inc.  in  the  United  States  and  other  countries.  Intel  is  a  registered  trademark  of  In'e!  Corporate 
in  the  U.S.  and  other  countries.  AMD  is  a  registered  trademark  of  Advanced  Micro  Devices,  Inc.  Not  responsible  for  typographical 
errors.  Ad  code:  130406 


CIO  CONTACT 
INFORMATION 


SALES  AND  SERVICES 


CIO  SALES  OFFICES 
President  and  CEO 

Michael  Friedenberg 
508  935-4310 

Publisher 

Gary  J.  Beach 
508  935-4202 

VP,  National  Associate 
Publisher 

Bob  Melk  •  415  975-2685 

EAST  COAST 

Regional  Sales  Manager 

Ellie  St.  Louis 
201 634-2332 

Senior  Sales  Associate 

Norma  Tamburrino 
201634-2329 
Fax  •  201 634-9513 

NEW  ENGLAND/CENTRAL 

Regional  Sales  Manager 

Brett  Ferry  •  508  935-4684 
Sales  Operations  Manager 

Dawn  Cora 
508  935-4092 
Fax  •  508  879-6063 

SOUTHERN  CALIFORNIA 

Regional  Sales  Manager 

Kevin  Ebmeyer  •  415  975-2684 

WEST  COAST 

Regional  Sales  Managers 

Kevin  Ebmeyer 
415  975-2684 
Michelle  Stutsman 
415  543-2358 


Account  Executive 

Derek  Jung 
415  975-2683 
Fax  •  415  543-2358 

CUSTOM  SOLUTIONS 

GROUP 

Vice  President 

Matt  Avery 
508  935-4796 

National  Director,  Sales 

Adam  Dennison 
508  935-4087 

Executive  Editor 
Tom  Field 
Managing  Editor 
Jim  Malone 
Associate  Editor 
Anne  Taylor 

Senior  Project  Manager 

Amy  Greenleaf 

Project  Managers 

Karen  Capland, 

Amy  Freeman 

ONLINE  SALES 

Vice  President,  Online  Sales 

Brian  Glynn  •  508  935-4586 

Online  Regional  Sales  Manager 

Richard  Hartman 
508  935-4487 

Online  District  Sales  Manager 

Sara  Mascall  •  415  978-3385 


Online  Regional  Sales  Manager, 

West  Coast 

Erika  Karr 

415  978-3329 

Manager,  Online  Account 

Services 

Danielle  Tetreault 
508  988-7969 

Online  Account  Services 
Specialist 

Valerie  Sumner 
508  988-7877 

Online  Advertising  Specialist 

Irina  Gabechiia 
508  935-4414 

Online  Ad  Sales  Associate 

Devon  Slattery 
415  975-2687 

Online  Account  Services 
Coordinator 

Hayley  Nickerson 
508  988-7819 

LIST  SERVICES 

Contact  Paul  Capone  of  IDG 
List  Services  at  508  370-0865 
or  pcapone@idglist.com. 

REPRINT  SERVICES 

For  article  reprints  (100  quan¬ 
tity  or  more),  please  contact 
Keith  Williams  at  PARS  Inter¬ 
national  at  212  221-9595  x319 
or  via  e-mail  at  keith.williams@ 
parsintl.com. 


CIO  is  published  in  the 
U.S.  as  well  as  in: 

Australia,  CIO  Australia 

www.idg.com.au 

Canada,  CIO  Canada 

cio.itworidcanada.com 

China,  CEO  &  CIO  China 

www.ceocio.com.cn 

France,  CIO  France 

www.idg.fr/cio 

Germany,  CIO  Germany 

www.cio.de 

India,  CIO  India 

91-80-521-0309/12 

Japan,  CIO  Japan 

www.idg.co.jp 

The  Netherlands, 

CIO  Netherlands 
www.cio.nl 

New  Zealand,  CIO  New  Zealand 
www.idg.co.nz 

Norway,  CIO  Business  Standard 
www.business-standard.no 
Poland,  CXO  Poland 
www.cxo.pl 

Singapore,  CIO  ACEN/ 
Hong-Kong  www.idg.com.sg 
South  Korea,  CIO  Korea 
www.cio.seoul.kr 
Sweden,  CIO  Sweden 
www.cio.idg.se 

For  further  sales  information: 

www2.cio.com/marketing/ 

aboutcio/contacts.cfm 


Editorial,  Advertising  and 
Business  Offices:  CXO  Media 
Inc.,  492  Old  Connecticut  Path, 
P.O.  Box  9208,  Framingham,  MA 
01701-9208,  508  872-0080. 

CIO  (ISSN  0894-9301)  is  pub¬ 
lished  semimonthly  and  as  a 
combined  issue  Dec.  15/Jan.  1  by 
CXO  Media  Inc.  Periodicals  post¬ 
age  paid  at  Framingham,  MA,  and 
at  additional  mailing  offices.  Can¬ 
ada  Publications  Mail  Agreement 
Number  1902075.  CANADIAN 
POSTMASTER:  Please  return 
undeliverable  copy  to  P.O.  Box 
1632,  Windsor,  ON  N9A  7C9. 

Permissions:  Copyright  2007 
by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of 
material  appearing  in  CIO 
is  forbidden  without  written 
permission.  Send  all  requests 
to  Yadira  Pizarro,  PARS  Interna¬ 
tional,  212  221-9595,  Ext.  231, 
oryadira@parsintl.com. 

Photocopy  Rights:  Permission 
to  photocopy  for  internal  or 
personal  use  or  the  internal  or 
personal  use  of  specific  clients  is 
granted  by  CIO  for  users  through 
the  Copyright  Clearance  Center, 
provided  that  a  fee  of  $3.50  per 
copy  of  the  article  is  paid  directly 
to  Copyright  Clearance  Center, 
222  Rosewood  Drive,  Danvers, 

MA  01970.  www.copyright.com. 
Please  specify:  ISSN  0894-9301. 
Permission  to  photocopy  does 
not  extend  to  contributed  articles 
followed  by  this  symbol:  $. 

Subscriptions:  CIO  is  free  to 
qualified  information  executives. 
To  apply,  use  our  online  subscrip¬ 
tion  form  at  www.subscribe 
.cio.com.  Subscriptions  are  also 
available  on  a  paid  basis  at  a  rate 
of  $95  for  the  United  States  and 
Canada,  $195  International  (pay¬ 
able  in  U.S.  funds  only)  and  may 
be  ordered  online  at  www 
.subscribe.cio.com/services 
.html.  Or  address  inquiries  to 
CIO.  P.O.  Box  489,  Northbrook, 

I L  60065-0489:  866  354-1125. 
Please  allow  four  to  six  weeks  for 
a  new  subscription  to  begin.  The 
single  copy  price  is  $9  for  the 
United  States  and  Canada,  and 
$15  International.  Prepayment  is 
required,  payable  in  U.S.  funds. 

Change  of  Address:  Please  go  to 
www.omeda.com/custsrv/cio 
and  follow  the  online  instructions. 

Postmaster:  Send  change  of 
address  to  CIO.  P.O.  Box  489, 
Northbrook,  IL  60065-9816. 
Printed  in  the  U.S.A. 


INDEX  OF  COMPANIES  AND  ADVERTISERS 


Page  numbers  refer  to  the  first  page  of  the  article(s)  in  which  the  company  has  a  substantial  mention. 

This  index  is  provided  as  a  service  to  readers.  The  publisher  does  not  assume  any  liability  for  errors  or  omissions. 


COMPANY  INDEX 

ABC  Inc . 48 

Akorri  Inc . 23 

Amazon.com  Inc . 8 

Anti-Phishing  Working  Group . 34 

Apple  Inc . 48 

BAA  . 48 

Blue  Frog  Solutions  Inc . 30 

Bluetooth  SIG  Inc . 48 

Bodog.com  Entertainment  Group . 48 

Cassatt  Corp . 23 

CBS  Corp . 48 

Central  Florida  Educators!  Federal  Credit 

Union  . 34 

CherryMedia . 48 

Cisco  Systems  Inc . 15, 30 

Comcast . 48 

Cubik  Media . 48 

DataSynapse  Inc . 23 

DIRECTV  . 48 

EDventure  . 60 

Eidos  Interactive  Ltd . 48 

Fidelity  Information  Services . 34 

Forbes  Inc . 60 

Forrester  Research  Inc . 15 

Gartner  Inc . 15,  23,  34 

General  Motors  Corp . 48 

Genesis  Multimedia  Solutions . 23 

GenilogixLLC . 23 

Google  Inc . 15 

Harris  Interactive  Inc . 15 

Hewlett-Packard  Development 

Co.  LP . 15, 23 

IBM  Corp . 43 

I  DC . 8, 23 

IHG  . 48 

Linux  Foundation . 15 


Liquidnet  Holdings  Inc . 15 

Marriott  International  Inc . 48 

McCormick  &  Company . 15 

Mellon  Investor  Services  LLC . 15 

Microsoft  Corp . 15,30 

Monster  Worldwide  Inc . 23 

Mutual  Service  Corp . 30 

National  Internet  Service  . 48 

NBC  Universal  Inc . 48 

NetRatings  Inc . 48 

New  Frontier  Media . 48 

Nokia . 8 

North  Plains  Systems  Corp . 48 

Novell  Inc . 15 

Opsware  Inc . 23 

OpTier  Limited . 23 

Pershing  LLC . 30 

Polycom  Inc . 15 

Ponemon  Institute  LLC . 34 

RSA  Security  Inc . 15, 34 

San  Diego  Processing  Corp . 23 

Sanford  Corp . 30 

Scalent  Systems  Inc . 23 

Scottrade . 34 

Secured  Funding  Corp . 15 

Sigma  Partners . 30 

Skype  Ltd . 8 

SRA  International  Inc . 34 

Symantec  Corp . 23 

Tandberg . 15 

Telanetix . 15 

Teliris . 15 

Texas  A&M  University . 48 

Time  Warner . 48 

TopTenREVIEWS  Inc . 48 

TriCipher,  Inc . 34 

Verid  Inc . 15 


Vizioncore  Inc . 23 

VMware  Inc . 23 

Vodafone . 48 

Wachovia  Corp . 23 

Weston,  Garrou,  DeWitt  &  Walters . 48 

YouTube  Inc . 48 

ADVERTISER  INDEX 

Accenture . 4 

agami  Systems  . 9 

Applix  Inc . C4 

AT&T . 42,  53 

CDWCorp . 25 

Comm  Vault  Systems  Inc . 12 

CXO  Media  Inc . 26,42,59 

EDS  Corp . 19 

Fujitsu  Computer  Systems  Corp . 11 

Gateway  Inc . 56 

Hewlett-Packard  Co . 7 

Hyperion  Solutions  Corp . 47 

IBM  Corp.  (regional) . 26 

Intel  Corp . 17 

Interactive  Intelligence  Inc . 29 

Manpower  Inc . 21 

Maplnfo  Corp . C2 

Marsh . 2 

Microsoft  and  Novell . 33 

Novell  Inc . 41 

Oracle  Corp . 39 

Red  Hat  Inc . 22 

SAS . 14 

SunGard  Availability  Services . 45 

TIBCO  Software  Inc . 36a 

Toshiba  America  Business  Solutions 

Inc . 31 

Unisys  Corp . 55 

Verizon  Wireless . C3 


58  JUNE  15,  2007  |  www.cio.com 


wm 

•v.  t. 


I  Topics  to  include: 

•  Structuring  a  Business  Continuity 
Plan:  Treatment  to  Prevention 

•  Legal  Requirements 

•  The  Looming  Threats: 

Terrorism  to  Pandemic 

1  •  Selling  the  Plan 

•  Business  Resiliency  in  the 
Supply  Chain 

•  Personnel  Training  &  Exercises 

•  Outsourcing/Insourcing 

•  Succession  Planning 

•  Crisis  Case  Studies 

•  Original  Research:  Best  Practices  in 
Business  Continuity 

•  Technology  Breakouts 


The  Three  Key  Pillars  of  Resiliency: 

CIO  &  CSO  Business  Continuity  Forum  2007...  Building 
the  Resilient  Enterprise  will  provide  attendees  with  the  key 
strategic  and  tactical  skills  necessary  to  address  the  issues 
of  continuity,  recovery  and  resiliency  in  their  enterprises. 
Attendees  will  walk  away  with  the  knowledge  of  how  to 
enable  enterprise  resiliency  within  their  organizations. 

If  you  are  a  CIO,  CSO,  CTO  or  other  business  technology 
executive  you  won’t  want  to  miss  this  program!  Visit 
www.cio.com/bc_2007  or  call  800.366.0246  for  additional 
program  information. 


Underwriters: 


invent 


ProCurve  Networking 


HP  Innovation 


SUNGARDfe^, 

Availability  Services  I  Connected. ' 


Platinum  Sponsors: 


Presented  by: 


Business 

Technology 

Leadership 


CSO 


The  Resource  for 
Security  Executives 


AVAVA  EMC2  IBM 

where  information  lives* 

INTELLIGENT  COMMUNICATIONS 


UNISYS 

imagine  it.  done. 


Qvwebex 


Gold  Sponsors: 

> 

accenture  The  new  at&t  MessageOne 

High  performance.  Delivered.  Your  world.  Delivered. 


I  ^76  Learned 

I  AS  TOLD  TO  MARGARET  LOCHER 


Futurist  and 
technology  pundit 

Esther  Dyson  focuses 
on  emergingtechnolo- 
gies,  companies  and 
business  models. 
Afounding  member 
of  ICANN,  today  her 
company,  EDventure, 
invests  in  startups. 


It's  important  to 
question  hype. 

I’m  mostly  a  skeptic  about 
emerging  technologies.  I 
started  as  a  fact  checker  at 
Forbes  and  learned  to  be 
specific  and  skeptical. 

Blogs  and  social 
networking  are 
overhyped. 

I  write  a  blog.  I  know  from 
experience  that  they’re 
not  the  ultimate  destiny  of 
mankind.  And  I  don’t  think 
it’s  important  for  every 
executive  or  tech  expert 
to  have  one.  A  blog  is  a 
useful  outlet  for  someone 
who  has  things  to  say  and 
wants  to  publish  them.  In 
terms  of  the  qualities  a 
blog  should  possess, 
authenticity  is  pretty 
high  on  my  list. 

A  ghost-written 
blog  is  not  the 
real  thing.  I  do 
have  one  dif¬ 


ficulty  with  blogging:  fact 
checking.  Sometimes  the 
process  slows  down  the 
blog.  Or  I  get  too  busy 
and  don’t  post  because  I 
can’t  check  all  the  facts.  I 
can’t  see  posting  stuff  that 
could  be  inaccurate  (as 
opposed  to  opinionated). 

I  don't  try  to 
predict  the  future. 

I  just  try  to  understand 
the  present.  But  since  you 
asked,  one  place  I  was 
really  wrong  was  about 
privacy— or  more  specifi¬ 
cally,  people's  reaction  to 
the  issue.  I  thought  the 
public  would  be  much 
more  concerned  and  care¬ 
ful.  They  are  concerned 
about  it  but  are  still  care¬ 
less.  They’re  both  willfully 
ignorant  and  paranoid! 

But  I  am  having  my  own 
problems  trying  to  fig¬ 
ure  out  how  to  install  an 
upgrade  from  Symantec. 
You  could  argue  that  the 
vendors  still  don’t  make  it 
easy  enough. 

Established  com¬ 
panies  can  learn  a 
lot  from  startups. 

Startups  can  teach 
mature  companies 
how  to  have  a  sense  of 


humor  and  to  be  respon¬ 
sive  and  flexible.  And  to 
focus  more  on  customers 
than  on  internal  politics. 

ICANN  taught  me 
a  lot. 

There’s  not  much  need 
for  a  lot  of  central  policy 
direction  on  the  Net. 
ICANN,  the  nonprofit 
entity  that  oversees  the 
Internet’s  systems  and 
protocols,  did  the  wrong 
things  in  that  regard.  It 
designed  a  market  with 
too  much  regulation 
and,  ironically,  too  little 
enforcement.  Its  rules  are 
so  rigid,  and  prices  are 
set  so  that  registries  and 
registrars  can’t  generally 
compete  on  anything 
other  than  sleazy  market¬ 
ing  practices.  There  needs 
to  be  more  disclosure  and 
real  penalties  for  breaking 
the  rules,  but  overall  fewer 
rules.  What  did  I  learn 
from  that  experience? 
Fight  harder  for  transpar¬ 
ency.  Avoid  centralized 
power.  And  don’t  trust 
people  to  do  the  right 
thing;  design  systems  that 
help  them  to  do  so. 


To  comment  go  to  www.cio 
.com/article/115000. 


60  JUNE  15,  2007  |  www.cio.com 


PHOTO  BY  JOHN  ABBOTT 


now  only 

$1  9999 

'399.”  2-yr.  price  less  $  1 00  advanced  device  credit, 
less  $100  mail-in  rebate  =  '199/’  with  new  2-yr. 
activation  on  any  voice  plan  of  '39.”  monthly  access 
or  higher  and  a  data  feature  of  s44.'w  monthly  access, 
or  on  any  new  Voice  and  Data  Choice  Bundle  plan 
of  79*  monthly  access  or  higher. 

Verizon  Wireless  introduces  the  BlackBerry6’  8830  World  Edition.  It's  the  first  CDMA  World  Edition  smartphone 
capable  of  roaming  globally  on  6SM/GPRS  networks.  Work  domestically  or  internationally,  with  access  to  email, 
phone,  Internet  and  expanded  memory  capability.  Join  forces  with  America's  most  reliable  wireless  broadband 
network  in  enabling  your  employees  to  work  from  just  about  anywhere. 


Introducing  the  BlackBerry®  8830  World  Edition. 

Works  around  the  world.  And  around  the  block  on  America's  most  reliable  wireless  network. 


Activation  fee/line: 

IMPORIANI  ( ONSUMI R  INI  ORMAIION  Subject  tu  ( ustomer  Acjmt,  C.illing  Plan,  lebate  form  &  credit  approval.  Up  to  $1  /*>  early  termination  lee  &  other  charges.  Offers  not  available  everywhere  While  supplies  last  Shipping  charges  may  apply.  Rebate  takes  up  to  six  weeks  Ihe  wireless  broadband  network  is 
available  m  )M  major  metropolitan  areas  ( overage  limitations,  maps  &  details  .it  veri/onwirelesv.com  Americ  a's  most  reliable  wireless  network  i  laim  based  on  lewesi  aggregate  blocked  and  dropped  connections  See  veri7onwireless.com/beslnetwork  for  details  >  JOO ;  Veri  run  Witeles 


What  if  demand  goes  up?  What  if  costs  increase?  What  if  inventory  decreases? 

Think  fast.  If  you  had  Applix,  you  wouldn't  just  know  the  answers,  you'd  already  know  what 
to  do  with  them.  With  our  business  analytics  software,  you'll  have  immediate 
access  to  data  from  across  your  entire  enterprise  in  real  time.  Armed  with  such  precise  information, 
your  organization  will  soon  operate  with  an  entirely  new  level  of  agility  -  and  make  intelligent 
business  decisions  on  the  fly.  Visit  applix.com  today  to  turn  your  business  into  an  agile  enterprise. 


Applix 


©  2007  Applix,  Inc.  All  rights  reserved.  Applix  is  a  registered  trademark  of  Applix,  Inc. 


